Google fixes flaw that let hacker harvest Gmail e-mails

By on November 22, 2010, 3:07 PM
Google has patched a vulnerability in Gmail that allowed a hacker to harvest their e-mail address by simply having them navigate to a specially-crafted website, according to MSNBC. A 21-year-old Armenian calling himself "Vahe G." created a Blogspot to exploit the issue, which affected users who visited the site while they were still logged into Gmail. The website has since been taken down.

The flaw could be exploited whether or not the user was browsing in Google Chrome's Incognito mode. Thankfully, Vahe simply e-mailed the users to warn them of the flaw, even though he could have sent spam (with or without malware) to the list of e-mail addresses he amassed. Since it appeared as if the e-mail originated from Google, users would have been much more likely to click whatever link was included in the spam message.

"We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account," a Google spokesperson said in a statement. "We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to security@google.com."





User Comments: 2

Got something to say? Post a comment
ikesmasher said:

Good for you Vahe! Try helping instead of annoying people!

and good for google for patching it up so fast.

Guest said:

It's about time they do something right.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.