Google fixes Gmail zero-day

Discussion in 'Google' started by knightkrm, Oct 2, 2007.

0
  1. #1
    The problem is a cross-site scripting flaw attackers could exploit to silently forward emails and contacts from a remote user’s account to any email account he or she chose. The security hole was uncovered by GNUCitizen , a hacking group that tracks Web 2.0 application flaws, and comes into play when a user logged in to Gmail visits a malicious Web site laced with attack code. The site performs an action that injects a filter into the user’s Gmail filter list.

    Petko D. Petkov, the GNUCitizen researcher who discovered the flaw, confirmed in the GNUCitizen blog that Google has fixed the vulnerability. As a result, he has released the full proof-of-concept code showing how to exploit the flaw.

    While Google says it hasn’t received any reports of users being victimized via this flaw, security experts are recommending that users log in and check their filter to be sure nothing fishy has happened.
    Petkov had warned that even with a fix the security risks could continue until the rigged filter is removed.

    The Gmail flaw was one of several Google security problems researchers disclosed in the past couple weeks. It all illustrates the dangers users face in the Web 2.0 world. I talked to several security researchers this past month for a story I’m writing for Information Security magazine, and they all said that they worry the most about these types of flaws. Web 2.0 applications are being produced and released at a fast and furious pace to feed demand, and security has been an afterthought. At the same time, the hacking community is working diligently to create Web 2.0 attack kits.

    “What I see in development are more Web-based exploits, more people are putting out these turn-key attacker kits like WebAttacker, Mpack, and IcePack,” says Joe Stewart, a senior researcher at SecureWorks. “A commodity market has sprung up around these tools, and its authors are making more money as they add new features.”

    So as wonderful as those Google gadgets and other online tools are, users must tread carefully.

    this article is from
    http://security.blogs.techtarget.com/2007/10/02/google-fixes-gmail-zero-day/
     
    knightkrm, Oct 2, 2007 IP