Google Patches Security Flaw Affecting Gmail Users

 
 
By Brian Prince  |  Posted 2010-11-22 Email Print this article Print
 
 
 
 
 
 
 

Google patched a vulnerability Nov. 20 that allowed someone to send spam to Gmail users.

Google has patched a vulnerability that could have been used to spam Gmail users who visited a specially crafted Website.

The bug was first reported Nov. 20 by TechCrunch after someone known as Vahe G. created a site to exploit the issue. The situation affected users who visited the site while they were still logged onto Gmail, and reportedly worked regardless of whether or not the user was browsing in Google Chrome's "Incognito" mode.

"We quickly fixed the issue in the Google Apps Script API that could have allowed for e-mails to be sent to Gmail users without their permission if they visited a specially designed Website while signed into their account," a Google spokesperson said. "We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to security@google.com."

Graham Cluley, senior technology consultant for Sophos, noted in a blog post that the flaw could have provided a nice payday for spammers.

"Although this particular exploit appears to have been set up for mischief, more malicious hackers could easily have exploited the vulnerability to spread the typical money-making spam we often see or to distribute malware or a phishing attack," he wrote. "Users might be much more likely to click on a link if they saw it really did come from Google, and could put their personal data in danger."

"Nevertheless," he continued, "security issues like this are a real concern as more and more people rely upon email communications and their webmail providers to deliver a reliable, filtered inbox. This was a serious security hole."

Google recently expanded its bug reporting program to include the company's Web applications. The rewards program offers bug finders a maximum of $3,133.70 for vulnerabilities reported directly to the company. The base reward for qualifying bugs is $500.


 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel