Google has patched a vulnerability that could have been used to spam Gmail users who visited a specially crafted Website.
The bug was first reported Nov. 20 by TechCrunch after someone known as Vahe G. created a site to exploit the issue. The situation affected users who visited the site while they were still logged onto Gmail, and reportedly worked regardless of whether or not the user was browsing in Google Chrome’s “Incognito” mode.
“We quickly fixed the issue in the Google Apps Script API that could have allowed for e-mails to be sent to Gmail users without their permission if they visited a specially designed Website while signed into their account,” a Google spokesperson said. “We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to firstname.lastname@example.org.”
Graham Cluley, senior technology consultant for Sophos, noted in a blog post that the flaw could have provided a nice payday for spammers.
“Although this particular exploit appears to have been set up for mischief, more malicious hackers could easily have exploited the vulnerability to spread the typical money-making spam we often see or to distribute malware or a phishing attack,” he wrote. “Users might be much more likely to click on a link if they saw it really did come from Google, and could put their personal data in danger.”
“Nevertheless,” he continued, “security issues like this are a real concern as more and more people rely upon email communications and their webmail providers to deliver a reliable, filtered inbox. This was a serious security hole.”
Google recently expanded its bug reporting program to include the company’s Web applications. The rewards program offers bug finders a maximum of $3,133.70 for vulnerabilities reported directly to the company. The base reward for qualifying bugs is $500.