In association with heise online

27 September 2007, 12:09

Message theft in Google Mail

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Petko Petkov (pdp) warns of a security hole in Google Mail. Compromised Websites that a Google Mail user uses during a webmail session may change filter settings, by means of which incoming and outgoing mail may be copied to third parties. This type of attack is known as Cross-Site-Request-Forgery attack (CSRF) or Session Riding.

Once set up, the filter remains active even after the user has logged out and enables complete observation of the user's email activity. Petkov has again declined to expose the exact nature of the threat - he has also not been forthcoming with details about the PDF reader security breach. He says he will provide details once Google has found a solution to the problem. On Tuesday, a further vulnerability in Google's photo organiser software Picasa was found. This has not yet been patched either.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit