Google Gmail E-mail Hijack

[MowGreen [MVP]]

http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/

While being logged into Gmail with the brower interface, IF one opens
another tab/browser window and stumbles across an 'evil' site, the
'evil' site can inject a filter into the Filter List. The attacker can
then forward emails wherever they want via the filter.
The above site contains graphics that show how this is accomplished.

> The attack will remain present for as long as the victim has the filter within their
> filter list, even if the initial vulnerability, which was the cause of the injection, is
> fixed by Google.


Bullseye on Google: Hackers expose holes in GMail, Blogspot, Search
Appliance
http://blogs.zdnet.com/security/?p=539

> The unpatched GMail bug, which was demonstrated for me by hacker Petko D. Petkov, is
> particularly nasty because of the way the exploit works without any user action and the
> fact that it’s difficult for the average GMail user to know that e-mails are being stolen.



MowGreen [MVP 2003-2007]
===============
*-343-* FDNY
Never Forgotten
===============

 

[jen]

"MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message
news:%23GeqtSHAIHA.3848@TK2MSFTNGP05.phx.gbl...
> http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
> While being logged into Gmail with the brower interface, IF one opens
> another tab/browser window and stumbles across an 'evil' site, the
> 'evil' site can inject a filter into the Filter List. The attacker can
> then forward emails wherever they want via the filter.
> The above site contains graphics that show how this is accomplished.
>> The attack will remain present for as long as the victim has the
>> filter within their filter list, even if the initial vulnerability,
>> which was the cause of the injection, is fixed by Google.
> Bullseye on Google: Hackers expose holes in GMail, Blogspot, Search
> Appliance
> http://blogs.zdnet.com/security/?p=539
>> The unpatched GMail bug, which was demonstrated for me by hacker
>> Petko D. Petkov, is particularly nasty because of the way the exploit
>> works without any user action and the fact that it’s difficult for
>> the average GMail user to know that e-mails are being stolen.

Simple remedy... Use Firefox with No-Script:
GMail POST Mortem, CSRF Countermeasures and NoScript Misconceptions:
http://hackademix.net/2007/09/26/gmail_csrf/

-jen

 

[Mark Randall]

"jen" <jen@example.com> wrote:
> Simple remedy... Use Firefox with No-Script:
> GMail POST Mortem, CSRF Countermeasures and NoScript Misconceptions:
> http://hackademix.net/2007/09/26/gmail_csrf/

In other news, people who do not breathe are less likely to catch airborne
disease.

--
Mark Randall
http://www.awportals.com