October 1, 2007 -- (WEB HOST INDUSTRY REVIEW) -- Web analytics firm Netcraft (netcraft.com) reported this weekend that search engine giant Google (google.com) has fixed a vulnerability in its Gmail Web-based email service. Netcraft says the vulnerability would have allowed Internet attackers to steal mail messages from users without being noticed.
The attack technique known as Cross-site Request Forgery works by forcing a logged-in user to add a mail filter to his Gmail account, allowing his mail to be forwarded to an external mail address controlled by the attacker. The analytics firm says that because Gmail doesn't adequately verify the origin of such requests, it's possible for attackers to create their own Web pages using JavaScript to automatically make these kinds of requests on behalf of their victims. Since the results of the request are hidden, it's unlikely that a victim will have noticed that his Gmail account has been compromised, particularly if he has left Gmail open while browsing the Internet.
Netcraft says compromised webmail accounts are regarded as a valuable commodity by hackers as they often contain information that could help them gain unauthorized access to other systems, such as Internet banking, and to harvest credit card details from online stores used by the victim.
Cross-site Request Forgery vulnerabilities are often difficult to identify using automated tools and typically require testing by security aware developers, says the analytics firm.
