homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Google / Google Gmail Advertising
Forum Library, Charter, Moderator: open

Google Gmail Advertising Forum

"Serious Security Flaw" In Google's Gmail: Potential Spamming Machine

WebmasterWorld Administrator engine us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

Msg#: 3647926 posted 3:14 pm on May 12, 2008 (gmt 0)

A "serious security flaw" in Gmail turns Google's e-mail service into a spamming machine, according to a recent security report.

INSERT, the Information Security Research Team, has created a proof of concept that exploits the "trust hierarchy" that exists between mail service providers. By exploiting a flaw in the way Google forwards messages, a spammer can send thousands of bulk e-mails through Google's SMTP service, bypassing Google's 500-address bulk e-mail limit and identity fraud protections.

"Serious Security Flaw" In Google's Gmail: Potential Spamming Machine [news.com]



WebmasterWorld Senior Member 10+ Year Member

Msg#: 3647926 posted 9:54 am on May 14, 2008 (gmt 0)

I was interested in this, as I have been looking at how "news" is disseminated. Most of it is "spun" by commercially involved parties to lazy journalists who like a "scare" story. Interestingly this story is genuine, rather than manufactured "scare" stuff.

1. Who on earth are "INSERT". These sorts of groups are usually industry PR operations to scare the hell out of the readers. This lot appear genuine "Information Security Research Team (INSERT), a joint research group effort of the University of Puerto Rico at Mayaguez (USA) and the State University of Ceara (Brazil).

2. They have a good update on it here [ece.uprm.edu]

"Due to the unexpected media impact of our report on Gmail's recently found flaw, we felt inclined to give a little update on the issue.
As of 3:00 PM (GMT -0400) today, the flaw we have reported remains unpatched and exploitable. We have ran a new experiment where we were able to use our attack to send 2,000 messages using one Gmail account.
We would like to clarify to the security community that we have contacted Google about the issue more than a week ago and no response was provided despite our clear intent of cooperation regarding this matter. "

Sort of worrying that Google stick their head in the sand and don't even reply to academics who apparently do not have an axe to grind.

They tell the whole story including what they have done, how they did it, and the scale of it. It appears to actually be a lot more than a "scare story".

Global Options:
 top home search open messages active posts  

Home / Forums Index / Google / Google Gmail Advertising
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved