For all of the Gmail users out there, it looks like Gmail is currently in a vulnerable state.  The vulnerability looks like a malware/phishing combination, but only seems to work if you do not log out of your account.  Whether or not you may have noticed, if you just click the ‘Back’ button on your browser and start using Google, you’ll notice you’re still logged in in the upper right-hand corner of the screen.  This is a new feature from Google that gives you the option to log your web history, but is it really a feature people should be using?  My guess is this kind of zero-day exploit to acquire gmail accounts is just the beginning.

Google’s Gmail can be easily hacked, allowing any past and future emails to be read by hackers, according to a vulnerability researcher.

A “cross-site request forgery” (CSRF) bug was disclosed by Petko Petkov, a UK-based web vulnerability tester who has made a name for himself of late. In the past two weeks, Petkov has publicly posted information about critical, zero-day bugs in Apple’s QuickTime, Microsoft’s Windows Media Player and Adobe’s Portable Document Format (PDF).

According to Petkov, who declined to release details about the vulnerability, attackers can use Gmail’s filtering feature to exploit the bug. An attack, he said, would start with a victim visiting a malicious website while also still logged into his Gmail account. The malicious site would then perform what Petkov called a “multi-part/form-date POST” - an HTML command that can be used to upload files - to one of the Gmail application programming interfaces, then inject a rogue filter into the user’s filter list.[more]

Tags: Hackers