Vulnerability Note VU#571584
Google Gmail cross-site request forgery vulnerability
According to public reports, Google Gmail contained a cross-site request forgery (XSRF) vulnerability that allowed attackers to create email filters that could forward mail and attachments to arbitrary email addresses.
Google Gmail is a web-based mail service. Gmail provides support for email filters that allow users to sort and forward mail.
According to a report on the GNUCITIZEN site, Gmail contained a cross-site request forgery (XSRF) vulnerability that allowed attackers to create mail filters and forward mail to arbitrary email addresses. To exploit this vulnerability, an attacker would have had to convince a user to click or open a specially crafted hyperlink while the user was logged into their Gmail account. The hyperlink would have contained an http POST request that created the mail filter.
A remote attacker could have collected email addresses, emails, and attachments from a user's Gmail account.
According to publicly available reports, Google has addressed this vulnerability.
The following workarounds may partially mitigate future cross-site scripting (XSS) and XSRF vulnerabilities:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Affected||-||01 Oct 2007|
CVSS Metrics (Learn More)
Information about this vulnerability was disclosed on the GNUCITIZEN web site.
This document was written by Ryan Giobbi.
- CVE IDs: Unknown
- Date Public: 25 Sep 2007
- Date First Published: 01 Oct 2007
- Date Last Updated: 12 Feb 2008
- Severity Metric: 0.79
- Document Revision: 19
If you have feedback, comments, or additional information about this vulnerability, please send us email.