Posted September 26, 2007 11:41 am by with 5 comments

Tweet about this on TwitterShare on LinkedInShare on Google+Share on FacebookBuffer this page

image Whenever you hand over your sensitive daily tasks–such as email, word, spreadsheets–to an online provider, you’ll always have that nagging doubt about security. Surely though, if that provider is Google, you never have to fear about the security of your data. Right?

As ESPN’s Lee Corso would say: “Not so fast!”

It appears that Google had to fix a major flaw that allowed hackers to infiltrate Gmail and set up a filter to forward all email to the account of their choice. Here’s how it works…

The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim?s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

Go check this now. We’ll be right here when you get back!

Ok, you weren’t one of the victims? Good for you! But, it does make you wonder just how safe and secure your information is, doesn’t it?


  • microsoft says that linux and mac has less viruses than windows because they are not as popular as windows is and hackers write viruses for windows because they want to target large audience.
    will this happen to google?
    with incredibly growing userbase and amount of their personal information, will google become target of web viruses?

  • Nice how you can still be screwed even if Google does make the fix. Security is an issue whether you data is stored locally or on someone else’s server, but when it’s stored externally you do need to have some faith in how well your information is being protected.

    Way to work in college game day. But don’t you think that new handshake is a little too complicated?

  • @Steven – LOL, I’ve not seen the new handshake. I’ll have to look for it. 🙂

  • I have been resisting the temptation to save my data files despite being bombarded by invitations to do so every day. I am happy to be vindicated. I think that I shall simply save my stuff the old fashioned way by myself in my equipment. I will at least feel safer.

  • I had Gmail running in the background while reading this. Creepy! haha not.