In association with heise online

22 November 2010, 12:32

Spam hole in Google Mail

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Gmail logo Until recently, a security hole in a Google API allowed emails to be sent to GMail users without knowing their email addresses. As reported by TechCrunch, victims only had to visit a specially crafted web site while being logged into their Google account.

Apparently, the hole could even be exploited while in Private Browsing mode, which doesn't usually give access to a user's cookies. The vulnerability allowed emails with arbitrary subject lines and message bodies to be sent from the email address As the emails included an authentic header, it was virtually impossible for users to distinguish them from an authentic email sent by Google.

The hole was discovered by a 21-year-old Armenian, Vahe G., who made his demo exploit freely accessible on Google's Blogspot / Blogger service. Google shut the blog down shortly after the exploit was reported and confirmed the problem in an email to TechCrunch. Google says that the hole in its Apps Script API has now been traced and fixed.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit