Google quickly shores up Gmail spam flaw

Share this article:
Google has fixed what is being described as a serious security flaw that allowed a hacker to harvest Gmail addresses and send spam from the search giant's servers.

The vulnerability was discovered by a 21-year-old Armenian man using the alias “Vahe G,” who set up an exploit on a Google-hosted blog that harvested Gmail addresses, according to a report in TechCrunch, which first reported the news on Saturday.

By visiting the affected Blogspot site and while logged into any Google account, users immediately received an email from Google's servers. The message, sent from “noreply@google.com,” directed recipients to visit a link and read.

The email read: "p.s. you have received this message because you probably just visited this site already.”

It is not known how many people were impacted. Google said it sprung into action after news about the exploit was first reported on Saturday.

“We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account,” a Google spokesman said in a statement sent to SCMagazineUS.com on Monday. “We immediately removed the site that demonstrated this issue, and disabled the functionality soon after.”

Hacker Vahe G's exploit was not intended to cause harm, but malicious-minded individuals could have exploited the flaw to send legitimate-looking money-making spam or launch a malware or phishing attack, Graham Cluley, senior security researcher at anti-virus firm Sophos, wrote in a blog post Sunday.

“Users might be much more likely to click on a link if they saw it really did come from Google and could put their personal data in danger,” Cluley wrote. “Security issues like this are a real security concern as more and more people rely upon email communications, and their webmail providers to deliver a reliable, filtered inbox.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.

Hacker sentenced to 30 months in prison and $300k restitution

Hacker sentenced to 30 months in prison and ...

Lamar Taylor was sentenced in New Jersey this past week for allegedly participating in a cybercrime scheme that accounted for more than $15 million.

Progress on national breach notification law may stall

A bill, which would require a national reporting standard, has failed to make it before the Senate or House this year.