Petko Petkov of “ethical hacking” group GNUCitizen has developed a proof-of-concept program to steal contacts and incoming e-mails from Google Gmail users.
\n“This can be used to forward all your incoming e-mail,” Pure Hacking security researcher Chris Gatford said. “It’s just a proof of concept at the moment, but what they’re demonstrating is the potential to use this vulnerability for malicious purposes.” <\/p>\n
According to Gatford, attackers could compromise a Gmail account–using a cross-site scripting vulnerability–if the victim is logged in and clicks on a malicious link. From that moment, the attacker can take over the session cookies for Gmail and subsequently forward all the account’s messages to a POP account. <\/p>\n
“If someone picks up on this before Google fixes it–or if someone knew of the vulnerability before this guy published it–this could be very damaging to Gmail users,” he added. <\/p>\n
The problem is potentially compounded by Google’s policy of retaining cookies for two years. <\/p>\n
“Once you’ve managed to snarf a cookie, you can access (a user’s) Gmail account without the password for the next two years,” he said. <\/p>\n