Petko Petkov of “ethical hacking” group GNUCitizen has developed a proof-of-concept program to steal contacts and incoming e-mails from Google Gmail users.
“This can be used to forward all your incoming e-mail,” Pure Hacking security researcher Chris Gatford said. “It’s just a proof of concept at the moment, but what they’re demonstrating is the potential to use this vulnerability for malicious purposes.”
According to Gatford, attackers could compromise a Gmail account–using a cross-site scripting vulnerability–if the victim is logged in and clicks on a malicious link. From that moment, the attacker can take over the session cookies for Gmail and subsequently forward all the account’s messages to a POP account.
“If someone picks up on this before Google fixes it–or if someone knew of the vulnerability before this guy published it–this could be very damaging to Gmail users,” he added.
The problem is potentially compounded by Google’s policy of retaining cookies for two years.
“Once you’ve managed to snarf a cookie, you can access (a user’s) Gmail account without the password for the next two years,” he said.
Read Complete Hack @ Zdnet.com