Google plugs Gmail security hole
Published: 28 Sep 2007 12:23 BST
Three days after ethical hacker Petko Petkov announced his discovery of a cross-site scripting vulnerability in Gmail, Google says it has fixed the problem.
"We worked quickly to address the recently reported vulnerability, and we have rolled out a fix," a Google Australia spokesperson said today.
The vulnerability discovered by Petkov, who posted his findings at the GNUCitizen website, could potentially have allowed an attacker to seize control of session cookies if a user clicked on a malicious link while logged into their account.
Under the scenario, an attacker could siphon emails from the hacked account to a separate POP account, Chris Gatford, from penetration-testing company Pure Hacking, explained on Wednesday.
"If someone picks up on this before Google fixes it — or if someone knew of the vulnerability before this guy published it — this could be very damaging to Gmail users," Gatford said.
Read this
Q&A: Be alert to booby-trapped web pages
Trend Micro chief technology officer Raimund Genes warns that online life is about to get much hairier...
However, Google's spokesperson said the search giant had not received any reports of the vulnerability being exploited, and added: "Google takes the security of our users' information very seriously."
Pure Hacking's Gatford said cross-site scripting vulnerabilities are gaining popularity amongst attackers and that many organisations are overlooking the problem.
"In the last year or so, [cross-site scripting vulnerabilities] have been used by attackers to grab cookie values and therefore gain access to normally password-protected sites," said Gatford.
Did you find this article useful?
7 out of 7 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
