"Petko Petkov of "ethical hacking" group GNUCitizen has developed a
proof-of-concept program to steal contacts and incoming e-mails from
Google Gmail users.
"This can be used to forward all your incoming e-mail," Pure
Hacking security researcher Chris Gatford said. "It's just a proof of
concept at the moment, but what they're demonstrating is the potential
to use this vulnerability for malicious purposes."
According to Gatford, attackers could compromise a Gmail
account–using a cross-site scripting vulnerability–if the victim is
logged in and clicks on a malicious link. From that moment, the
attacker can take over the session cookies for Gmail and subsequently
forward all the account's messages to a POP account.
"If someone picks up on this before Google fixes it–or if
someone knew of the vulnerability before this guy published it–this
could be very damaging to Gmail users," he added.
The problem is potentially compounded by Google's policy of retaining cookies for two years. "
Article Link: http://news.zdnet.com/2100-1009_22-6210353.html
