Gmail Bug could Forward E-mails to Undesirable Destinations
Google's security system is not stopping hackers too well for a bug in Gmail could let an attacker successfully forward all e-mail messages along with their attachments to a different e-mail address.
UK-based researcher Petko Petkov, who tests penetration possibilities into Web vulnerabilities, disclosed the Gmail flaw on September 25, 2007. PCWorld published this in news on September 26, 2007. Petkov has earned recognition lately when in the 2nd and 3rd weeks of September, 2007, he posted information for the public describing critical zero-day flaws in Adobe Systems Inc.'s PDF (Portable Document Format), Microsoft Corp's Windows Media Player, and Apple Inc.'s QuickTime.
Regarding the Gmail bug, Petkov refused to give details about the flaw. He said attackers could use the filtering feature of Gmail to manipulate the bug. To start with, the attacker would require his victim to open a malicious Website while having his Gmail account on. Petkov called the next stages of the perpetration by the malicious site a "multipart/form-date POST". The malware-laden site would give special HTML command with which files could be uploaded to any of the Gmail program interfaces and then insert a bogus filter into the victim's filter list.
Petkov posted multiple screenshots on a site named Gnucitizen.org to illustrate a specimen of the attack. He warned that even if Google released a patch, the flaw would not be fixed. As long as the bogus filter remains, it would still be possible to forward messages to other addresses. SCMagazine reported this on September 26, 2007.
On September 25, 2007, SCMagazine published that Petkov entreated other researchers not to reveal the details of the flaw till Google repairs it. According to him, the vulnerability on the Gnucitizen blog was extremely nasty.
Google regards its user information security very seriously and it was on the job of developing a patch for the recent vulnerability, said the Mountain View, a California-based search giant. SCMagazine reported this.
The attack uses the cross-site request forgery technique. It had caused trouble for Google earlier too. This year too, Google encountered a similar vulnerability, which exposed Gmail contact lists to security risks.
Related article: Gmail Users at the Mercy of Firefox Exploit
» SPAMfighter News - 09-10-2007