The vulnerability was discovered by a 21-year-old Armenian man using the alias “Vahe G,” who set up an exploit on a Google-hosted blog that harvested Gmail addresses, according to a report in TechCrunch, which first reported the news on Saturday.
By visiting the affected Blogspot site and while logged into any Google account, users immediately received an email from Google's servers. The message, sent from “email@example.com,” directed recipients to visit a link and read.
The email read: "p.s. you have received this message because you probably just visited this site already.”
It is not known how many people were impacted. Google said it sprung into action after news about the exploit was first reported on Saturday.
“We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account,” a Google spokesman said in a statement sent to SCMagazineUS.com on Monday. “We immediately removed the site that demonstrated this issue, and disabled the functionality soon after.”
Hacker Vahe G's exploit was not intended to cause harm, but malicious-minded individuals could have exploited the flaw to send legitimate-looking money-making spam or launch a malware or phishing attack, Graham Cluley, senior security researcher at anti-virus firm Sophos, wrote in a blog post Sunday.
“Users might be much more likely to click on a link if they saw it really did come from Google and could put their personal data in danger,” Cluley wrote. “Security issues like this are a real security concern as more and more people rely upon email communications, and their webmail providers to deliver a reliable, filtered inbox.”