Google Inc. is facing some serious questions about the security of its applications after a researcher disclosed a flaw in its popular Gmail offering.
The new issue is a variant of a cross-site scripting vulnerability in Gmail which could enable an attacker to silently forward emails and contacts from a remote user's account to any email account he chose.
The problem, discovered and detailed by GNUCitizen , a hacking group that tracks flaws in so-called Web 2.0 applications, arises when a user who is logged in to Gmail visits a malicious Web page with a special bit of code embedded in it. The page performs an action that injects a filter into the user's Gmail filter list.
The attacker can write whatever filter he chooses, a powerful capability in Gmail. An attacker could, for example, write a filter to pull every email from a specific sender or with the words "Bank of America" in the subject line, and have them forwarded to a remote mailbox. Once the filter is in place, it would work silently until the user noticed its existence. The attacker could also use the filter to pull contact information from the victim's address book, if he chose.
"This is not what we see with other cross-site scripting. This is injecting scripts and being able to take over the user's mailbox. You can send emails, pull contacts, whatever," said Billy Hoffman, lead researcher at HP Security Labs, based in Atlanta, and an expert on AJAX and Web security issues. "This shows just how dangerous cross-site scripting is. We're starting to see people take this more seriously because of the amount of AJAX that's being used on online banking sites and other sites. I think it's hitting a critical mass."
Petko D. Petkov, the researcher who found and disclosed the vulnerability, said Web-based flaws are now more serious in many cases than holes in packaged software applications."In an age where all the data is in the cloud, it makes no sense for the attackers to go after your box. It is a lot simpler to install one of these persistent backdoor/spyware filters," Petkov wrote in his description of the attack. "Game over! They don't own your box, but they have you, which is a lot better."