Google Blogoscoped

Forum

GMail Security Flaw Exposed

* Miss Universe [PersonRank 7]

Saturday, May 10, 2008
16 years ago2,797 views

http://arstechnica.com/news.ars/post/20080510-security-flaw-turns-gmail-into-open-relay-server.html
http://ece.uprm.edu/~andre/insert/gmail.html

Gmail's normal approach to messages sent though its SMTP service is to rewrite some of the Message Body headers to prevent identity fraud. By exploiting this flaw, an attacker can easily bypass this restriction. This happens because attack messages are disguised as legitimately destined to a compromised account. This way, Gmail will deliver the message to the attack target without modifying any of the Message Body Headers, and more importantly, it will preserve even forged sender's identity information intact.
Since the attack message can be forged at the attacker's will and can be forwarded by Google's servers any number of times, this vulnerability is a major spam and phishing threat concern.

Ianf [PersonRank 10]

16 years ago #

http://ece.uprm.edu/~andre/insert/gmail.html
Strangely enough, this INSERT partial vulnerability disclosure/ error report isn't explicitly dated, nor is there any indication of how the authors propose to declare it fixed, once (when?) Google attends to it.
http://ece.uprm.edu/~andre/insert/confidential.gif
Glad to hear (read) it.

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!