I don't know how many of you have seen this, but if it saves one person some hassle or heartache, I guess it's worth the repeat here:
This is
scary.
Basic idea (quoted from
GNUCITIZEN):
The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.
You may want to check your filters, and see if there's a way to get updates as to when new ones are added or forwarded to unknown addresses.
I hate the application of it, but you have to kind-of admire the idea behind it.
Hey! Why don't you make your life easier and subscribe to the full post
or short blurb RSS feed? I'm so confident you'll love my smelly pasta plate
wisdom that I'm offering a no-strings-attached, lifetime money back guarantee!
Leave a comment
Update: Oops... didn't realize Lifehacker had already posted about this (at
http://lifehacker.com/337745/ ), so I guess probably that would have been enough exposure.
Posted by
Sammy Larbi
on Dec 26, 2007 at 09:44 PM UTC - 6 hrs
So I wonder if Google will be sending an email to everyone who had an unknown address (unknown to that account) as part of a filter?
Posted by
Sammy Larbi
on Dec 26, 2007 at 10:18 PM UTC - 6 hrs
