Google Successfully Plugs Gmail Vulnerability

Researchers had reported a cross-site request forgery flaw in Google that could enable an attacker to steal the contact list from a Gmail user's account. The Web application giant announced on January 2, 2007 that it has rectified the flaw.

On the same day, the founder and CTO of WhiteHat Security, Jeremiah Grossman described to SCMagazine.com that when somebody surfed a malicious website exploiting the vulnerability, the browser surreptitiously made request for the Gmail address list of that user.

Grossman termed it a massive privacy breach. The vulnerability is pretty awful and is expected to play a lot more in 2007. He said websites are not yet ready for defending it. The area of attack is built based on the working design of the Web such as via its linking pages.

Sometime earlier Gmail was featured with storage of address list in JavaScript files under the same URL. This facilitated hackers to record the user's contact list by using a script that features the URL.

If the web mail providers failed to spot, which sites attempted to run this 'callback' function it led to the compromise of contact lists of many users who logged on to Gmail account. When spammers tricked Gmail users into visiting a website constructed with malicious intent and the users shared the same login while logging onto Gmail, or other Google service, they were likely to surrender their contact list to those miscreants. The spammers would simply send messages to users' e-mail accounts and fool them into going to a hostile website, thus making the exploitation successful.

The flaw initially affected the Google video feature, a service involving file sharing, and it took several hours to fix the vulnerability, said Heather Adkins for Google. Following this Google received notices of the same problem affecting its other products, which it resolved within 24 hours of the report. Google is not aware of any exploitation of the vulnerability and no user was affected.

Google coders could not perceive the risk in storing sensitive data in JavaScript under known URLs, a problem they detected soon after changing the codes in end December 2006.

Related article: Google Rectifies Gmail flaw in Three Days

ยป SPAMfighter News - 06-01-2007

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next