Google patched a vulnerability Nov. 20 that allowed someone to send spam to Gmail users.
Google has patched a vulnerability that could have been used to
spam Gmail users who visited a specially crafted Website.
The bug was first
reported
Nov. 20 by TechCrunch after someone known as Vahe G. created a site to
exploit the issue. The situation affected users who visited the site while they
were still logged onto Gmail, and reportedly worked regardless of whether or
not the user was browsing in Google Chrome's "Incognito"
mode.
"We quickly fixed the issue in the Google Apps Script API
that could have allowed for e-mails to be sent to Gmail users without their
permission if they visited a specially designed Website while signed into their
account," a Google spokesperson said. "We immediately removed the
site that demonstrated this issue, and disabled the functionality soon after.
We encourage responsible disclosure of potential application security issues to
security@google.com."
Graham Cluley, senior technology consultant for Sophos,
noted
in a blog post that the flaw could have provided a nice payday for
spammers.
"Although this particular exploit appears to have been set up for
mischief, more malicious hackers could easily have exploited the vulnerability
to spread the typical money-making spam we often see or to distribute malware
or a phishing attack," he wrote. "Users might be much more likely to
click on a link if they saw it really did come from Google, and could put their
personal data in danger."
"Nevertheless," he continued, "security issues like this are
a real concern as more and more people rely upon email communications and their
webmail providers to deliver a reliable, filtered inbox. This was a serious
security hole."
Google recently expanded its
bug
reporting program to include the company's Web applications. The rewards
program offers bug finders a maximum of $3,133.70 for vulnerabilities reported
directly to the company. The base reward for qualifying bugs is $500.
Email
Print
