|Home » Industry Watch
Gmail Cross-site Request Exploit
Brought to you by the people who don't care about security and don't destroy anything.
There's been a security hole in Gmail which let hackers steal mail messages from users without being noticed. It's been fixed but there may be more to come. Given Google's well known disdain of thinking about security there surely is.
The attack worked by forcing a logged in user to add a mail filter - thereby forwarding mail to an external address.
Because Gmail did not verify the origin of these requests it was possible for hackers to create web pages that automatically made the filtering requests - in other words a 'drive by' requiring no further user interaction.
A caveat for the exploit was that Gmail users needed to be first logged in; however given the span of Google cookies (2038 or the turnaround for 32-bit GOOS) this hardly presented a problem.
David Cavanagh of Thailand was brutalised by such an attack: hackers not only took over his mail account - they also changed all his domain registration information, parking some domains and completely canceling others.
The hackers also sent mail to all Cavanagh's contacts requesting money. 'Crazy unbelievable stuff', writes Cavanagh.
Google don't exactly have a reputation for worrying about security. Cross-site scripting vulnerabilities with Google software are not new - responding to them is. For over two years security researchers were writing to the Brin/Page extravaganza at a dedicated security alert mail address only to discover incoming mail was automatically destroyed without being read.
And even if you dear Gmail user decide to remove sensitive correspondence from your account it's never really gone - and Brin/Page have the bad tact to tell you so.
Where will the next Google/Gmail exploit come from?
Warrior Forum: ** David Cavanagh Completely Hacked **
Netcraft: Gmail Cross-site Request Forgery Vulnerability