By Scott Spanbauer
Exploits allowing hackers to break into Gmail accounts are likely to occur, if they’re not already circulating, after security researchers released details of a hole that Google has reportedly declined to patch.
There are steps you can take to reduce the risk of using a webmail account, but it appears that the usual tricks won’t solve the Gmail problem until Google fixes the software.
The weakness that researchers say afflicts Gmail, a free e-mail service hosted by Google, belongs to a class of attacks known as cross-site request forgery (CSRF, pronounced “sea surf”).
Besides Gmail, CSRF holes affecting YouTube, Netflix, and NYTimes.com have also been found and repaired in the past. CSRF attacks use security flaws in cookies, password requests, and other interactive Web components to intercept communications between your browser and a Web site’s server.
The first report of the Gmail problem within security circles was written by Vicente Aguilera Díaz of Internet Security Auditors (ISA) on July 30, 2007. The next day, ISA issued an alert and included a proof of concept illustrating how the exploit could be used to change a Gmail account password.