Google has been hitting a few speed bumps lately with their Gmail service. They’ve had some problems in the past, but the latest round of trouble started with around 60 users who lost some or all of their email received prior to December 18th. It was another instance of Google performing magic and making those messages disappear with the trick gone bad, and the messages not coming back. Then came the flaw which could have given anyone your contact list. This happened at the end of December shortly after the first problem. This appears to be fixed, and now speed bump #3 comes along. They say that the third time is a charm, so hopefully this is the last of the problems for now!
The latest problem was reported by Google Blogoscoped where luckily he had a friendly hacker (Tony Ruscoe) get access to emails, spreadsheets, reading habits on the Google personalized homepage, search history, etc. Now how’d you like someone viewing all of that? It really wouldn’t be a very nice surprise. That’s just the short list of what he was able to do! What he wasn’t able to do was read the full emails, check Calendar events, or change the Google Account password.
Tony got access to this by a “proof of concept” script specifically targeting this loophole. All that was needed was for a person who was logged into their Google account to visit a page of his. After visiting, the users Google cookies were available to Tony which gave him access to all kinds of personal information. Ruscoe was a nice guy and contacted Google Security about it first, and hasn’t disclosed how it was done.
Google Blogoscoped says not to worry because, “the vulnerability in question is a very special kind, and Tony, by â€