Message theft in Google Mail
Petko Petkov (pdp) warns of a security hole in Google Mail. Compromised Websites that a Google Mail user uses during a webmail session may change filter settings, by means of which incoming and outgoing mail may be copied to third parties. This type of attack is known as Cross-Site-Request-Forgery attack (CSRF) or Session Riding.
Once set up, the filter remains active even after the user has logged out and enables complete observation of the user's email activity. Petkov has again declined to expose the exact nature of the threat - he has also not been forthcoming with details about the PDF reader security breach. He says he will provide details once Google has found a solution to the problem. On Tuesday, a further vulnerability in Google's photo organiser software Picasa was found. This has not yet been patched either.
- Google GMail E-mail Hijack Technique, security report from Petko Petkov (pdp)
(mba)