One of the features that I use quite often in Gmail is the filter list. With filters I’m able to forward, apply labels, and delete/archive emails as they come in. Unfortunately this was also a source for hackers to wreak havoc on you.
As it turns out new filters could previously be added simply by visiting an unsuspecting website. The malicious site can create filters that will scan emails looking for phrases such as “password,” and have those emails forwarded to an address of their choosing. Here’s how it works:
The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forwards them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.
Unfortunately one guy has really felt the wrath of this vulnerability, and you should protect yourself by double-checking your current filters. Look for any filters that forward to an unknown address.
This vulnerability has already been patched, but if you’re still worried about something similar happening in the future there is a very simple solution. After you get done reading your email just logout of your account. If you’re not logged in vulnerabilities like this one will be unable to access your account.
Just another reason to only keep your Gmail open when needed rather than all the time like Google seems to promote with their toolbar and iGoogle page. I definitely like my Gmail, but his is a very good wake up call. Remember don’t store passwords in your Gmail and yes it is tempting. Instead consider PassPack at [passpack.com] This way you can have your passwords online and still be safe.
Also, make sure to check that you don’t have imap or pop forwarding set unless you specifically set it yourself. I heard that that’s another way hackers can get your passwords and junk.
It’s been tough for me to hold back on storing my passwords, but I’ve been getting better at typing them in manually.
Good point. I assume that loophole has been patched as well.
Using a Firefox plugin like NoScript is another useful tool in defending yourself whilst browsing.
I’ve used NoScript for a little while, but it just became too much of a hassle after awhile.