One of the features that I use quite often in Gmail is the filter list. With filters I’m able to forward, apply labels, and delete/archive emails as they come in. Unfortunately this was also a source for hackers to wreak havoc on you.
As it turns out new filters could previously be added simply by visiting an unsuspecting website. The malicious site can create filters that will scan emails looking for phrases such as “password,” and have those emails forwarded to an address of their choosing. Here’s how it works:
The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forwards them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.
Unfortunately one guy has really felt the wrath of this vulnerability, and you should protect yourself by double-checking your current filters. Look for any filters that forward to an unknown address.
This vulnerability has already been patched, but if you’re still worried about something similar happening in the future there is a very simple solution. After you get done reading your email just logout of your account. If you’re not logged in vulnerabilities like this one will be unable to access your account.