Gmail flaw discovered that allows theft of confidential information

Sapo opens laboratory at the University of Aveiro

The analyst Petko Petkov found a flaw in Gmail and published it on his website, where he also demonstrates the technique that allows the placement of a backdoor in the user’s email account. Petkov did not disclose all details of the vulnerability, giving Google an opportunity to develop the bug fix.

According to analysts, the flaw allows attacks of the type cross-site request forgery, or XSRF, that is, it allows the execution of codes hosted on malicious pages on the website to which the user is connected, in this case, on the Gmail pages.

In this way, the hacker would be able to access user data by having them visit a malicious website while using their Gmail account. The fraudulent website would execute an HTML command used to Upload file called «multipart / form-date POST» to introduce a fake filter into the victim’s Gmail account that forwards all email messages to another email address email.

This is not the first flaw discovered in Google applications. Other errors have already been discovered in the Blogger service in Picasa, as well as in other company services

Related News:

2007-06-01 – Computer security affected by Google Desktop failure

2007-01-03 – Failure in Gmail deletes data from 60 users