A Gmail security vulnerability may allow an attacker to set up filters on users’ e-mail accounts without their knowledge, according to a proof of concept posted Sunday at GeekCondition.com. The vulnerability has already caused some people to lose their domain names registered through GoDaddy.com.
The exploit starts when user visits a malicious site while logged into Gmail. Whether the link is initiated through Gmail account or not, the malicious site can access internal credentials. After this, the malicious site can unnoticeably send data to Gmail that can create an automatic filter that diverts incoming e-mail to a different e-mail account. Given all this happens on Google’s mail servers, it can be noticed only by looking at account’s filters.
Along with gaining access to private messages, this exploit once in place compromises all future e-mails in that account. For example, if your Gmail details are registered as the contact details for any domain registrations, your domain might be hijacked and held to ransom by the use of account recovery and password resetting tools on your domain host account without your knowledge.
Without posting the full exploit, a post on GeekCondition explains how the flaw relies on obtaining the variables that represent the user name and “at”. When user creates a filter in Gmail account, a request is sent to Google’s servers to be processed. The request is made in the form of a URL with many variables. For security reasons, the browser doesn’t display all the variable contained within the URL. However, by using FireFox and a plugin called Live HTTP Headers, anyone can see exactly what variables are sent from the browser to Google’s servers. After that, an attacker just needs to identify the variable that is the equivalent of the username.
Obtaining this variable is tricky but possible, there are plenty of explanations about it that can be easily found in Google. The “at” variable can be obtained by visiting a malicious Web site and a part of the flaw might be the expiration of “at” variable after every request instead after every session.
Until this is fixed, users should check their filters often to avoid being a victim of the vulnerability. As in many other cases, Firefox users can download an extension called NoScript that helps prevent these attacks. Gmail users should also logout of their accounts when they are not in use, and not visit suspicious or untrusted websites.
Google did not comment on this issue at this point but it will most likely be fixed in the next couple of days.
Update (Nov 26): According to recent post in Google blog, there is no evidence of a Gmail vulnerability. With help from affected users, Google determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as “google-hosts.com” that they set up purely to harvest usernames and passwords.
It seems like novice “webmasters” and domain owners submitted the details needed to steal their domains on fake login pages and then panicked and blamed Gmail without realizing that the filters were not set through Gmail flaw by a “magic” URL but manually, by miscreants who logged into the Gmail accounts using phished passwords.
More on CyberInsecure: