Google Rectifies Gmail flaw in Three Days
Google claimed to have rectified a cross-site scripting flaw in Gmail just three days after its discovery by Petko Petkov, the ethical hacker.
A spokesperson for Google Australia said that they worked fast to fix the newly reported vulnerability, as per the news published by ZDNet.co.uk September 28, 2007
A user logged into Gmail activates the attack when visiting a Website hosting malicious code. A special command is given by the code to access the Gmail account by setting up a new filter without the user being aware of it.
The filter can then be used by the attacker to forward any archived or future messages that contain specific keywords or the senders' names to the desired email account.
The spokesperson from Google denied any reported instance of the vulnerability being exploited, declaring that the security of user information is of prime importance for Google.
As per the news by ZDNet.co.uk on September 28, 2007, Chris Gatford from the Penetration-Testing Company Pure Hacking disclosed that the attackers are increasingly taking to cross-site scripting vulnerabilities, a trend that is largely being ignored by most of the organizations.
The past year has seen attackers resort to cross-site scripting vulnerabilities to capture cookie values so as to get access to the usually password-protected sites.
In an unrelated development, information about a cross-site scripting bug targeting users of enterprise-facing Google Search Appliance had been made public by a Romanian Security Researcher.
Exploitation by means of a combination of cross-site scripting, cross-application request forgery, and URI handler weakness to retrieve photographs from the victim's hard drive also poses a threat to Google's Picasa photo-sharing software and Web services.
As Internet usage for desktop applications including email and word processing became increasingly popular, the threat of these security holes is also growing to unprecedented levels. Despite new innovations like AJAX being introduced to expand the range of offerings on the Internet, they bring along with them additional security hazards. This emphasizes the importance for Web developers to take no chances when it comes to the security of their Websites against such vulnerabilities.
Related article: Google Launches ‘Code Search’
» SPAMfighter News - 16-10-2007