Google quickly shores up Gmail spam flaw

Share this article:
Google has fixed what is being described as a serious security flaw that allowed a hacker to harvest Gmail addresses and send spam from the search giant's servers.

The vulnerability was discovered by a 21-year-old Armenian man using the alias “Vahe G,” who set up an exploit on a Google-hosted blog that harvested Gmail addresses, according to a report in TechCrunch, which first reported the news on Saturday.

By visiting the affected Blogspot site and while logged into any Google account, users immediately received an email from Google's servers. The message, sent from “noreply@google.com,” directed recipients to visit a link and read.

The email read: "p.s. you have received this message because you probably just visited this site already.”

It is not known how many people were impacted. Google said it sprung into action after news about the exploit was first reported on Saturday.

“We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account,” a Google spokesman said in a statement sent to SCMagazineUS.com on Monday. “We immediately removed the site that demonstrated this issue, and disabled the functionality soon after.”

Hacker Vahe G's exploit was not intended to cause harm, but malicious-minded individuals could have exploited the flaw to send legitimate-looking money-making spam or launch a malware or phishing attack, Graham Cluley, senior security researcher at anti-virus firm Sophos, wrote in a blog post Sunday.

“Users might be much more likely to click on a link if they saw it really did come from Google and could put their personal data in danger,” Cluley wrote. “Security issues like this are a real security concern as more and more people rely upon email communications, and their webmail providers to deliver a reliable, filtered inbox.”

Share this article:

Sign up to our newsletters

More in News

New backdoor 'Baccamun' spreads through ActiveX exploit

Symantec researchers revealed that the backdoor is dropped after attackers exploit a Windows ActiveX vulnerability.

Outdated browsers put U.K. users at risk of malware

A blog post on Check and Secure website said 70 percent of U.K. users haven't fully updated their internet browsers

Survey: 53 percent change privileged logins quarterly

A Lieberman Software survey highlights the issue or poor password management, even among security pros.