Security Bullet In
Communiques from the security front, sir
Tuesday 2 January 2007, 3:46 PM
Gmail flaw fixed?
It is still uncertain how serious a javascript flaw in Gmail is, and whether it has been fixed completely. The flaw allows spammers to harvest contact details from a user's account by launching a cross-site scripting attack.
To exploit the flaw, the hacker adds a piece of code to their website server, which in turn gives them access to the Gmail contacts of passing browsers, if users are signed in to their Gmail account.
There is some speculation about how serious a flaw this is, and whether there has been a complete fix. According to ZDNet blogger Garrett Rogers Google has partially sorted out the problem.
"The problem is only partially fixed. The vulnerability exposed through video.google.com has been patched up, but there are other subdomains where the problem still exists," said Rogers in his blog.
Google was unavailable for comment at the time of writing.
To exploit the flaw, the hacker adds a piece of code to their website server, which in turn gives them access to the Gmail contacts of passing browsers, if users are signed in to their Gmail account.
There is some speculation about how serious a flaw this is, and whether there has been a complete fix. According to ZDNet blogger Garrett Rogers Google has partially sorted out the problem.
"The problem is only partially fixed. The vulnerability exposed through video.google.com has been patched up, but there are other subdomains where the problem still exists," said Rogers in his blog.
Google was unavailable for comment at the time of writing.
Previous
