A post called Google GMail E-mail Hijack Technique shows us how by 'installing a persistent backdoor within anyone's GMail account, we can snoop into conversations'.
PDP writes, "This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google. The technique used in this example is known as Cross-site request forgery, or simply put CSRF. I am not planning to go into details how it works. Just look it up on Google or better yet, Yahoo. Yes Yahoo is a lot better these days, especially when it comes to hardcore Web2.0 API hacking."
Thats not all, Philipp Lenssen writes about another incident where Tony Ruscoe discovered another vulnerability. Ă˘â‚¬Ĺ“After posting his (Tony Ruscoe's) specially prepared file of the Google Docs family which exploits a non-standard, incorrect Internet Explorer behavior, and then pushing me as experimental Ă˘â‚¬Ĺ“victimĂ˘â‚¬Âť onto this file by sending me a link I clicked, Tony was able to get a Google Account cookie of mine, as I was previously logged-in to Google.
With this cookie, Tony could:
- Read my Gmail email subject lines and the first words of my mails. This was possible by including a Gmail gadget onto iGoogle, using the extra-wide tab layout.
- Access my Google Analytics statistics, including stats of external sites that had been shared with my account.
- View many of my iGoogle gadgets, e.g. a Todo list.
- Access the full contents of my non-public Google Notebook notes/ non-public notes that had been shared with me by others.
- Check my Google Reader.
- See the names of my Docs, Spreadsheets and Presentations files.
HereĂ˘â‚¬â„˘s what Tony was specifically not able to do:
- He didnĂ˘â‚¬â„˘t see my full emails.
- He didnĂ˘â‚¬â„˘t see any of the content of my Google Docs, Spreadsheets or Presentations.
- He didnĂ˘â‚¬â„˘t see all of my iGoogle gadgets, e.g. a Google Talk gadget required another log-in.
- He wasnĂ˘â‚¬â„˘t able to compromise my account login/ password, e.g. change it to then fully access my Google services.Ă˘â‚¬Âť
Before this, Beford, another developer also discovered a Google vulnerability that could be misused to get personal data, etc. Now, what do you think about the all 'mighty' and 'impeccable' Google?