Gmail accounts hacked via unpatched hole

Scott spanbauer
By Scott Spanbauer

Exploits allowing hackers to break into Gmail accounts are likely to occur, if they’re not already circulating, after security researchers released details of a hole that Google has reportedly declined to patch.

There are steps you can take to reduce the risk of using a webmail account, but it appears that the usual tricks won’t solve the Gmail problem until Google fixes the software.

The weakness that researchers say afflicts Gmail, a free e-mail service hosted by Google, belongs to a class of attacks known as cross-site request forgery (CSRF, pronounced “sea surf”).

Besides Gmail, CSRF holes affecting YouTube, Netflix, and NYTimes.com have also been found and repaired in the past. CSRF attacks use security flaws in cookies, password requests, and other interactive Web components to intercept communications between your browser and a Web site’s server.

The first report of the Gmail problem within security circles was written by Vicente Aguilera Díaz of Internet Security Auditors (ISA) on July 30, 2007. The next day, ISA issued an alert and included a proof of concept illustrating how the exploit could be used to change a Gmail account password.

This article is part of our premium content. Join Now.

Already a paid subscriber? Click here to login.



Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 10, Windows 8, Windows 7, Firefox, Internet Explorer, Google, etc. Join our 460,000 subscribers!

Enter your email above to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.
The Windows 7, Vol 3 (Excerpt)

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

= Paid content

All Windows Secrets articles posted on 2009-04-23: