Advertisement
Promo

Security threats Toolkit

Google plugs Gmail security hole

Liam Tung ZDNet Australia

Published: 28 Sep 2007 12:23 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Three days after ethical hacker Petko Petkov announced his discovery of a cross-site scripting vulnerability in Gmail, Google says it has fixed the problem.

"We worked quickly to address the recently reported vulnerability, and we have rolled out a fix," a Google Australia spokesperson said today.

The vulnerability discovered by Petkov, who posted his findings at the GNUCitizen website, could potentially have allowed an attacker to seize control of session cookies if a user clicked on a malicious link while logged into their account.

Under the scenario, an attacker could siphon emails from the hacked account to a separate POP account, Chris Gatford, from penetration-testing company Pure Hacking, explained on Wednesday.

"If someone picks up on this before Google fixes it — or if someone knew of the vulnerability before this guy published it — this could be very damaging to Gmail users," Gatford said.

Read this

Feature
Q&A: Be alert to booby-trapped web pages

Trend Micro chief technology officer Raimund Genes warns that online life is about to get much hairier...

Read more +

However, Google's spokesperson said the search giant had not received any reports of the vulnerability being exploited, and added: "Google takes the security of our users' information very seriously."

Pure Hacking's Gatford said cross-site scripting vulnerabilities are gaining popularity amongst attackers and that many organisations are overlooking the problem.

"In the last year or so, [cross-site scripting vulnerabilities] have been used by attackers to grab cookie values and therefore gain access to normally password-protected sites," said Gatford.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
7 out of 7 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:







Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Authentication risks all too human

Risks to successful online banking identification and authentication using smartcards involve a mixture of human and technological factors, according to the European Network and Information... More

1 comment

Opera censors Chinese content

Opera has updated the Chinese version of its mobile browser to stop users accessing restricted content. Opera Mini was updated on Friday from an international to a Chinese version,... More

2 comments

Symantec website breached

Security company Symantec has said that one of its websites was successfully breached. Romanian security researcher 'Unu' posted details of the breach in a blog post on Monday. Unu... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters