Google Rushes Out Patch For Gmail Security Flaw

Google has quickly fixed a vulnerability that could allow someone to send spam to Gmail users after they visited a particular website

Google has hurriedly issued a patch for a vulnerability that could allow spam to be sent to Gmail users who visited a specially crafted website.

The bug was first reported 20 November by TechCrunch after someone known as Vahe G. created a site to exploit the issue. The situation affected users who visited the site while they were still logged onto Gmail, and reportedly worked regardless of whether or not the user was browsing in Google Chrome’s “Incognito” mode.

“We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account,” a Google spokesperson said. “We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to security@google.com.”

Serious Security Hole

Graham Cluley, senior technology consultant for Sophos, noted in a blog post that the flaw could have provided a nice payday for spammers.

“Although this particular exploit appears to have been set up for mischief, more malicious hackers could easily have exploited the vulnerability to spread the typical money-making spam we often see or to distribute malware or a phishing attack,” he wrote. “Users might be much more likely to click on a link if they saw it really did come from Google, and could put their personal data in danger.”

“Nevertheless,” he continued, “security issues like this are a real concern as more and more people rely upon email communications and their webmail providers to deliver a reliable, filtered inbox. This was a serious security hole.”

Cash Reward

Google recently expanded its bug reporting program to include the company’s web applications. The rewards program offers bug finders a maximum of $3,133 (£1,970) for vulnerabilities reported directly to the company.

The base reward for qualifying bugs is $500 (£314).