According to public reports, Google Gmail contained a cross-site request forgery (XSRF) vulnerability that allowed attackers to create email filters that could forward mail and attachments to arbitrary email addresses.
Google Gmail is a web-based mail service. Gmail provides support for email filters that allow users to sort and forward mail.
According to a report on the GNUCITIZEN site, Gmail contained a cross-site request forgery (XSRF) vulnerability that allowed attackers to create mail filters and forward mail to arbitrary email addresses. To exploit this vulnerability, an attacker would have had to convince a user to click or open a specially crafted hyperlink while the user was logged into their Gmail account. The hyperlink would have contained an http POST request that created the mail filter.
A remote attacker could have collected email addresses, emails, and attachments from a user's Gmail account.
According to publicly available reports, Google has addressed this vulnerability.
The following workarounds may partially mitigate future cross-site scripting (XSS) and XSRF vulnerabilities:
Information about this vulnerability was disclosed on the GNUCITIZEN web site.
This document was written by Ryan Giobbi.
|Date First Published:||2007-10-01|
|Date Last Updated:||2008-02-12 11:44 UTC|