Google denies security hole in Google Mail

According to a statement issued by Google, recently reported manipulation of Google Mail accounts were not traceable to a cross site request forgery (CSRF) vulnerability. Rather, an analysis conducted with the participation of victims determined the cause to be simple phishing attacks against e-mail account holders. Con artists used phished data to gain access to e-mail accounts, allowing them to define certain filters in order to automatically divert e-mails to their own accounts.

This gave the scammers access to instructions for resetting passwords sent by domain administrators, permitting them to transfer the domain or grant access rights to it. Operators of MakeUseOf.com, a news service registered at GoDaddy.com, admitted to being victims of the early November attack.

Google quashed suspicions that a vulnerability that came to light in 2007 could still be exploited. Still, Google did not explicitly refute the instructions posted on the GeekCondition blog, explaining how an unauthorised user could define a filter in the e-mail account of another user.

According to Google, Google Mail users are adequately protected against phishing if they access the mail service exclusively over an SSL secured HTTP connection, check the validity of the certificate, and do not simply ignore error messages. In a guidebook issued last summer, ICANN also [ticker:uk_1110831 warned] of phishing attacks in which site administrators ended up on falsified registrar sites, where they revealed their usernames and passwords. Unfortunately, ICANN failed to take its own advice to heart, resulting in the hijacking of the ICANN (and IANA) domain by Turkish hackers.

See also:

• Gmail security and recent phishing activity, Google statement
• Hole in Google Mail allows mail to be hijacked, heise online UK report

(trk)