Google quickly shores up Gmail spam flaw

Share this article:
Google has fixed what is being described as a serious security flaw that allowed a hacker to harvest Gmail addresses and send spam from the search giant's servers.

The vulnerability was discovered by a 21-year-old Armenian man using the alias “Vahe G,” who set up an exploit on a Google-hosted blog that harvested Gmail addresses, according to a report in TechCrunch, which first reported the news on Saturday.

By visiting the affected Blogspot site and while logged into any Google account, users immediately received an email from Google's servers. The message, sent from “noreply@google.com,” directed recipients to visit a link and read.

The email read: "p.s. you have received this message because you probably just visited this site already.”

It is not known how many people were impacted. Google said it sprung into action after news about the exploit was first reported on Saturday.

“We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account,” a Google spokesman said in a statement sent to SCMagazineUS.com on Monday. “We immediately removed the site that demonstrated this issue, and disabled the functionality soon after.”

Hacker Vahe G's exploit was not intended to cause harm, but malicious-minded individuals could have exploited the flaw to send legitimate-looking money-making spam or launch a malware or phishing attack, Graham Cluley, senior security researcher at anti-virus firm Sophos, wrote in a blog post Sunday.

“Users might be much more likely to click on a link if they saw it really did come from Google and could put their personal data in danger,” Cluley wrote. “Security issues like this are a real security concern as more and more people rely upon email communications, and their webmail providers to deliver a reliable, filtered inbox.”

Share this article:

Sign up to our newsletters

More in News

Russian hacker Seleznev ordered to remain in custody

Roman Seleznev's attorneys requested that the hacker be released on bond, but their pleas were rejected this past week.

Bug in iOS Instagram app fixed, impacts Facebook accounts

The vulnerability comes into play when Instagram users search for Facebook friends to "follow."

AP denied security docs on HealthCare.gov, a risk to private information

AP denied security docs on HealthCare.gov, a risk ...

The Associated Press was denied a request made under the Freedom of Information Act for documents that contain security information on HealthCare.gov.