Google working to patch Gmail message-forwarding flaw

Powered by SC Magazine
 

A flaw in Gmail can allow an attacker to forward all messages with attachments to another email address.

An attacker must force a potential victim, logged into their Gmail account, to visit a malicious page that injects a filter into the victim's filter list, according to researcher Petko Petkov of Gnucitizen. The filter sends emails with attachments to an address of the attacker's choice.

Classifying exploitation a cross-site request forgery, Petkov warned that even if Google releases a fix for the flaw, messages would still be forwarded to the third-party address because the filter is still present.

Petkov on Tuesday urged other researchers not to disclose details of the flaw until Google fixes it, saying the vulnerability is “extremely nasty if you ask me” on the Gnucitizen blog.

“If you find this vulnerability, please do not disclose it. Let Google fix it first and then blog about it,” he said. “In an age where all the data is in the cloud, it makes no sense for the attackers to go after your box. It is a lot simpler to install one of these persistent backdoor/spyware filters. Game over! They don't own your box, but they have you, which is a lot better.”

Petkov told SCMagazineUS.com today that Google replied to him, saying that they have “confirmed the vulnerability and now they are looking for ways to fix it.”

Google today released a statement saying that the company would issue a fix shortly.

“Google takes the security of our users' information very seriously, and we are working on a fix to the recently reported vulnerability, which we expect to be implemented shortly,” the Mountain View, Calif.-based search giant said in a statement.

Petkov this month also discovered a flaw in QuickTime and Firefox, and a vulnerability in Adobe Reader – both fixed by vendors last week.

See original article on SC Magazine US

Copyright © SC Magazine, US edition


Google working to patch Gmail message-forwarding flaw
 
 
 
Top Stories
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
The CISO’s dilemma: Do you trust your partner’s partner?
[Blog post] How far down the chain do you check?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 313

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  58%
 
No
  42%
TOTAL VOTES: 118

Vote