Gmail accounts hacked via unpatched hole

Scott spanbauer By Scott Spanbauer

Exploits allowing hackers to break into Gmail accounts are likely to occur, if they’re not already circulating, after security researchers released details of a hole that Google has reportedly declined to patch.

There are steps you can take to reduce the risk of using a webmail account, but it appears that the usual tricks won’t solve the Gmail problem until Google fixes the software.

The weakness that researchers say afflicts Gmail, a free e-mail service hosted by Google, belongs to a class of attacks known as cross-site request forgery (CSRF, pronounced “sea surf”).

Besides Gmail, CSRF holes affecting YouTube, Netflix, and NYTimes.com have also been found and repaired in the past. CSRF attacks use security flaws in cookies, password requests, and other interactive Web components to intercept communications between your browser and a Web site’s server.

The first report of the Gmail problem within security circles was written by Vicente Aguilera Díaz of Internet Security Auditors (ISA) on July 30, 2007. The next day, ISA issued an alert and included a proof of concept illustrating how the exploit could be used to change a Gmail account password.

This article is part of our premium content. Join Now.

Already a paid subscriber? Click here to login.



= Paid content

All Windows Secrets articles posted on 2009-04-23: