Google Successfully Plugs Gmail Vulnerability
Researchers had reported a cross-site request forgery flaw in Google that could enable an attacker to steal the contact list from a Gmail user's account. The Web application giant announced on January 2, 2007 that it has rectified the flaw.
On the same day, the founder and CTO of WhiteHat Security, Jeremiah Grossman described to SCMagazine.com that when somebody surfed a malicious website exploiting the vulnerability, the browser surreptitiously made request for the Gmail address list of that user.
Grossman termed it a massive privacy breach. The vulnerability is pretty awful and is expected to play a lot more in 2007. He said websites are not yet ready for defending it. The area of attack is built based on the working design of the Web such as via its linking pages.
If the web mail providers failed to spot, which sites attempted to run this 'callback' function it led to the compromise of contact lists of many users who logged on to Gmail account. When spammers tricked Gmail users into visiting a website constructed with malicious intent and the users shared the same login while logging onto Gmail, or other Google service, they were likely to surrender their contact list to those miscreants. The spammers would simply send messages to users' e-mail accounts and fool them into going to a hostile website, thus making the exploitation successful.
The flaw initially affected the Google video feature, a service involving file sharing, and it took several hours to fix the vulnerability, said Heather Adkins for Google. Following this Google received notices of the same problem affecting its other products, which it resolved within 24 hours of the report. Google is not aware of any exploitation of the vulnerability and no user was affected.
Related article: Google Rectifies Gmail flaw in Three Days
» SPAMfighter News - 06-01-2007