Wednesday, September 26, 2007

Bug in Google Mail

There was an information about new vulnerability in Google web-mail which allows to organize interception of letters of the user privately. Known researcher Petko Petkov GNU Citizen has found out a bug, by the information from his blog having redirected logined Gmail user on a special site it is possible to create the filter which automatically will forward all messages with attachments on a mail box of the burglar in the mail.

Vulnerability is connected with the wrong data processing, transferred in forms (multipart/form-data POST). Petrkov has not laid out exploit for this vulnerability, however the colleague to whom hw showed breaking Gmail, confirm existence especially marking danger of a such mistake - " exploit works without any interaction with the user and it is absolutely imperceptible, it will be difficult to average user to notice, that its mail steal ". Google is engaged in studying of a mistake.

No comments: