Google has patched a vulnerability in Gmail that allowed a hacker to harvest their e-mail address by simply having them navigate to a specially-crafted website, according to MSNBC. A 21-year-old Armenian calling himself "Vahe G." created a Blogspot to exploit the issue, which affected users who visited the site while they were still logged into Gmail. The website has since been taken down.
The flaw could be exploited whether or not the user was browsing in Google Chrome's Incognito mode. Thankfully, Vahe simply e-mailed the users to warn them of the flaw, even though he could have sent spam (with or without malware) to the list of e-mail addresses he amassed. Since it appeared as if the e-mail originated from Google, users would have been much more likely to click whatever link was included in the spam message.
"We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account," a Google spokesperson said in a statement. "We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to security@google.com."