Google Blogoscoped

Sunday, November 23, 2008

Malicious Setting Up of Filters in Gmail?

Brandon at GeekCondition reports of a Gmail security vulnerability which lets an attacker set up automated filters in your Gmail account, provided the attacker manages to lure you onto a page of theirs first. Brandon does not post the full exploit (obtaining a certain variable for this exploit “is tricky but possible”, Brandon says, adding that he’s “not going to tell you how to do it, if you search hard enough online you’ll find out how”), and I’m not sure if this works on just any browser. As automated filters can trigger mail addressed to you to be forwarded to someone else (and trashed in your account), some already had their domain name kidnapped due to this issue. To Gmail users, Brandon suggests “Check your filters and make sure that nothing seems out of the ordinary.”

Update: Google’s Matt Cutts comments, “I believe the 2007 issue was fixed. What’s strange is that the new post on boils down to an unmentioned way of stealing cookies. I believe some Googlers were trying to contact Brandon soon after his post for more info, but haven’t yet heard back. Hopefully we’ll hear back soon and can check it out though.” [Thanks Matt!]

Update 2: Google says “we mounted an immediate investigation. Our results indicate no evidence of a Gmail vulnerability.” [Thanks A.!]


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!