Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Vulnerability Allowed Hacker to Send Emails in Google's Name

tipo

By tipo
in Security & Privacy News

Recommended Posts

tipo

tipo

Posted
Posted

An Armenian hacker demonstrated a serious security issue in Google Apps over the weekend, which allowed him to harvest email addresses from Gmail users and send them very credible messages in Google's name.

The attack was demoed through a specially crafted Blogspot page. Any user logged into Gmail who visited this page, immediately received an email appearing to originate from the company.

According to Graham Cluley, a senior technology consultant at antivirus vendor Sophos, what's interesting about this is that the rogue emails did not have forged headers.

They came from a [email protected] address, through maestro.bounces.google.com and were signed by google.com, making them very suitable for phishing.

One attack scenario would involve spreading a link to the Blogspot page through Facebook by promising an intriguing video or using some other lure.

The visitors who are logged into Gmail would then receive an email crafted as a security alert from Google, which would direct them to a phishing page mimicking the sign in page.

The details of the vulnerability have not been publicly disclosed and in an email to TechCrunch, the hacker, who presents himself as a 21-year-old Armenian named Vahe G., said that he doesn't want people to find out out how it was done.

He also mentioned that he tried getting in contact with Google prior to demonstrating the exploit, but the company did not get back to him.

This is strange considering the company is now offering bounties for serious vulnerabilities found in its Web services. This bug could have earned Vahe $500 or more if he would have reported it through the proper channels.

The search giant confirmed the existence of the flaw in its Google Apps Script API and said that it was quickly dealt with.

"We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account," a Google spokesperson told TechCrunch.

"We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to [email protected]," they added.

link

Link to comment
Share on other sites
  • Views 581
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...