Google Inc. has quietly patched a security bug in its Gmail service, but the company is downplaying the severity of the risk to its users.
Google confirmed that it made “modifications” to Gmail to cover an attack vector that allowed malicious hackers to take complete control of a victims Gmail account.
The companys confirmation followed the blow-by-blow public disclosure of the bug on the elhacker.net Web site.
The elhacker.net advisory described how a Gmail user token could be used in conjunction with other hacking tricks to take control of the victim account.
However, Google spokesperson Sonya Boralv told Ziff Davis Internet News that a successful attack would require the victim to open up an authenticated token and willingly give it to the attacker.
The risk of an actual attack is so slim, she said the company did not consider it a security vulnerability. Boralv said the authentication token is totally encrypted and cannot be sniffed by an attacker.
“Nevertheless, we have made some modifications to Gmail to mitigate these kinds of issues in the future,” Boralv added.
In the face of concerns that Google never notified users of the Gmail issue, Boralv insist that the company follows security best practices.
“We take security very seriously, investigate vulnerability reports immediately and resolve them with highest priority. We looked into this issue and learned that it can only occur if a user knowingly provides their authentication token,” she said.
To avoid this problem, Boralv said, Google tries to educate its users not to provide sensitive information to unidentified individuals. Google also provides anti-phishing guidance to its users.
“All Google products are put through a rigorous security review process to identify security issues and fix them before the product is released. If security vulnerabilities are identified after the product is available, we fix them immediately and automatically update the service for our customers,” Boralv said.
