Daily cyber threats and internet security news: network security, online safety and latest security alerts
November 23rd, 2008

Gmail Exploit May Allow Attackers Steal E-mails By Setting Forwarding Filters

A Gmail security vulnerability may allow an attacker to set up filters on users’ e-mail accounts without their knowledge, according to a proof of concept posted Sunday at The vulnerability has already caused some people to lose their domain names registered through

The exploit starts when user visits a malicious site while logged into Gmail. Whether the link is initiated through Gmail account or not, the malicious site can access internal credentials. After this, the malicious site can unnoticeably send data to Gmail that can create an automatic filter that diverts incoming e-mail to a different e-mail account. Given all this happens on Google’s mail servers, it can be noticed only by looking at account’s filters.

Along with gaining access to private messages, this exploit once in place compromises all future e-mails in that account. For example, if your Gmail details are registered as the contact details for any domain registrations, your domain might be hijacked and held to ransom by the use of account recovery and password resetting tools on your domain host account without your knowledge.

Without posting the full exploit, a post on GeekCondition explains how the flaw relies on obtaining the variables that represent the user name and “at”. When user creates a filter in Gmail account, a request is sent to Google’s servers to be processed. The request is made in the form of a URL with many variables. For security reasons, the browser doesn’t display all the variable contained within the URL. However, by using FireFox and a plugin called Live HTTP Headers, anyone can see exactly what variables are sent from the browser to Google’s servers. After that, an attacker just needs to identify the variable that is the equivalent of the username.

Obtaining this variable is tricky but possible, there are plenty of explanations about it that can be easily found in Google. The “at” variable can be obtained by visiting a malicious Web site and a part of the flaw might be the expiration of “at” variable after every request instead after every session.

Until this is fixed, users should check their filters often to avoid being a victim of the vulnerability. As in many other cases, Firefox users can download an extension called NoScript that helps prevent these attacks. Gmail users should also logout of their accounts when they are not in use, and not visit suspicious or untrusted websites.

Google did not comment on this issue at this point but it will most likely be fixed in the next couple of days.

Update (Nov 26): According to recent post in Google blog, there is no evidence of a Gmail vulnerability. With help from affected users, Google determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as “” that they set up purely to harvest usernames and passwords.

It seems like novice “webmasters” and domain owners submitted the details needed to steal their domains on fake login pages and then panicked and blamed Gmail without realizing that the filters were not set through Gmail flaw by a “magic” URL but manually, by miscreants who logged into the Gmail accounts using phished passwords.

Share this item with others:

More on CyberInsecure:
  • New Gmail Phishing Campaign Attempts To Steal Login Credentials
  • Gmail Being Blocked By Some Anti-Spam Vendors
  • Google Adds User Enabled HTTPS Secure Connections Into GMail
  • Another Google Bug Put Users At Phishing Risk Due To Domain Flaw And Frame Injection Possibility
  • Phishing Experiment Bypasses All Anti-spam Filters

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Gmail Exploit May Allow Attackers Steal E-mails By Setting Forwarding Filters

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.