Gmail bug exposes your mail account to spammers
By Thomas Ricker 
posted January 1st 2007 6:10AM
posted January 1st 2007 6:10AM
Like your Gmail account? Consider it a sacred place which must be protected from spammers at all cost? Yeah, us too. Well, we hate to break the bad news at the dawn of the new year but there's a weakness in Gmail which exposes your email address to any web site capable of exploiting the bug. As reported on Digg, the exploit takes advantage of the fact that Google puts your details into a JS file. As a result, if you're logged into Gmail and browsing the web, any rogue website can declare the function "google" and then parse all your contacts. The only way to safeguard yourself is to disable Javascript in your browser (or enabled it for trusted sites only) or simply climb into a hole and not browse while logged into Google services like Gmail, Blogger, Orkut, Reader, Calendar, etc. -- you know, the sites you typically have open all day long. For obvious reasons, we will not link directly to the site which demonstrates the exploit on your personal account due to the risk of running possibly malicious code. However, we tested it and found our most precious account -- and those of our contacts -- correctly identified and ready for harvest. But hey, even though Gmail has been out since 2004, it is still "beta"... right?Update 1: There are reports that Google has fixed the issue. Their "fix" is related and with any luck should be applicable. However, it's no fix. Don't believe us? Login to your fave Google service and give this non-malicious link a click.
Update 2: Google seems to have now patched the vulnerability.
My gmail was hijacked. I followed the steps listed in gmail's help section. They didn't work and google support refused to help me restore my account. Now all my contacts, passswords, account numbers, files, pictures, etc, are in some hacker's files. I'm very disappointed with google to say the least.
"ogged into Google services like Gmail, Blogger, Orkut, Reader, Calendar, etc. -- you know, the sites you typically have open all day long."
...what, you mean someone actually uses all that crap?
Insurance loans foundation Services
Northern Ontario Grow Bonds Business Loan Program
Address:Northern Ontario Grow Bonds Corporation
70 Foster Drive, Suite 200 Sault Ste. Marie ON P6A 6V8Northern Ontario
canada
Insurance loans Inc. has an easy way to get a home loan ! We can help make the home loan process easier, with lots of personal assistance, online information and tools, and loan programs that match your needs even if you have bad credit. Insurance loans Inc. has access to over 150 different mortgage investors. We offer creative and flexible financing for almost any credit situation that other institutions simply can’t offer. If you have been turned down before because of bad credit, have had difficulty finding financing, or are just looking for a great rate, Insurance loans can help you. Whether you’re looking for a California equity home loan, an equity home loan in any state,Email us. We offer a variety of bad credit home loans to suit your special needs. We can walk you through all the necessary steps with ease, even if you have a past bankruptcy.
Home Improvement
Mortgage Refinancing
First Time Home Buyer
2nd Mortgage
125 Home Equity
Debt Consolidation Loan
This loan application is not for residents of the US and Canadian only , we accept applications from residents in Alaska, Arkansas, Washington, D.C., Puerto Rico, or from any one residing outside of the United States or overseas.Email us now : Insuranceloansfoundation@consultant.com
Spam problems over? I don't think so! Here's a pretty good test case - described in an email I sent to Google today:
I am having a huge (for me) new spam problem - not with my new gmail account (????@gmail.com), but with the account listed as my gmail default from/reply to address.
I don't think you adequately inform accountholders of the exposure risk to their other email accounts, and I intend to post this correspondance online to increase public awareness of this particular security risk in using a gmail account.
The details:
I opened a gmail account last month (mid Feb). As my default from/reply to address, I chose an address I've had a few years, but seldom used (?????@?????.rr.com).
From Mar 1-13 only, I had my gmail account retrieve mail from a few of my other POP3 accounts. All mail incoming to gmail was forwarded to yet another of my addresses.
Since I opened my gmail account, I have sent only ONE email from that gmail account. I used the ?????@?????.rr.com from/reply to address. I sent it to someone I regularly mail to using my other email accounts.
In the last 14 hours (Mar 19)I have recieved over 100 spams to my ?????@?????.rr.com email address (not coming through gmail). I have never received any spam to that address before - or that much spam to all my 7 other accounts combined! (I have tight security on my systems, and use the Cloudmark spam filter.)
This new spam must be a security problem originating with gmail, since it's never been a security problem with any of my accounts (or the mail recipient's account) in the past.
Today I have removed all reference to other email addresses from my gmail account, and permanently deleted all mail.
Unfortunately, I don't expect that will solve my new spam problem.
I expect an apology from Google. More than that, I expect your prominent disclosure of NEW security risks to your accountholders' other email addresses.
Can kids get agmail account??
I had an issue today where somehow my Gmail account got used to send spam to all the people in my contacts list. I was logged in at the time and surfing. Is this the exploit/problem being talked about here? Cos all these comments make me think it's something different, like getting bombarded with spam yourself, rather than your Gmail getting used/exploited/compromised for channelling spam to your contacts by a third party. If that's the case (that it is not the same thing as happened to me today) then can I NOT assume my problem/insecurity has been fixed by Google?