Google Inc. is facing some serious questions about the security of its applications after a researcher disclosed a flaw in its popular Gmail offering.
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
|  | ||||||||||||||||
| |||||||||||||||||
The new issue is a variant of a cross-site scripting vulnerability in Gmail which could enable an attacker to silently forward emails and contacts from a remote user's account to any email account he chose.
The problem, discovered and detailed by GNUCitizen , a hacking group that tracks flaws in so-called Web 2.0 applications, arises when a user who is logged in to Gmail visits a malicious Web page with a special bit of code embedded in it. The page performs an action that injects a filter into the user's Gmail filter list.
The attacker can write whatever filter he chooses, a powerful capability in Gmail. An attacker could, for example, write a filter to pull every email from a specific sender or with the words "Bank of America" in the subject line, and have them forwarded to a remote mailbox. Once the filter is in place, it would work silently until the user noticed its existence. The attacker could also use the filter to pull contact information from the victim's address book, if he chose.
 |
||||
|
|
|||
|
||||
Security experts say this vulnerability, known as cross-site request forgery, is a classic example of the growing danger of cross-site scripting type flaws in a world where technologies such as AJAX and JavaScript are ubiquitous.
"This is not what we see with other cross-site scripting. This is injecting scripts and being able to take over the user's mailbox. You can send emails, pull contacts, whatever," said Billy Hoffman, lead researcher at HP Security Labs, based in Atlanta, and an expert on AJAX and Web security issues. "This shows just how dangerous cross-site scripting is. We're starting to see people take this more seriously because of the amount of AJAX that's being used on online banking sites and other sites. I think it's hitting a critical mass."
Petko D. Petkov, the researcher who found and disclosed the vulnerability, said Web-based flaws are now more serious in many cases than holes in packaged software applications.
"In an age where all the data is in the cloud, it makes no sense for the attackers to go after your box. It is a lot simpler to install one of these persistent backdoor/spyware filters," Petkov wrote in his description of the attack. "Game over! They don't own your box, but they have you, which is a lot better."