Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: open
A "serious security flaw" in Gmail turns Google's e-mail service into a spamming machine, according to a recent security report.
INSERT, the Information Security Research Team, has created a proof of concept that exploits the "trust hierarchy" that exists between mail service providers. By exploiting a flaw in the way Google forwards messages, a spammer can send thousands of bulk e-mails through Google's SMTP service, bypassing Google's 500-address bulk e-mail limit and identity fraud protections.
1. Who on earth are "INSERT". These sorts of groups are usually industry PR operations to scare the hell out of the readers. This lot appear genuine "Information Security Research Team (INSERT), a joint research group effort of the University of Puerto Rico at Mayaguez (USA) and the State University of Ceara (Brazil).
2. They have a good update on it here [ece.uprm.edu]
"Due to the unexpected media impact of our report on Gmail's recently found flaw, we felt inclined to give a little update on the issue.
As of 3:00 PM (GMT -0400) today, the flaw we have reported remains unpatched and exploitable. We have ran a new experiment where we were able to use our attack to send 2,000 messages using one Gmail account.
We would like to clarify to the security community that we have contacted Google about the issue more than a week ago and no response was provided despite our clear intent of cooperation regarding this matter. "
Sort of worrying that Google stick their head in the sand and don't even reply to academics who apparently do not have an axe to grind.
They tell the whole story including what they have done, how they did it, and the scale of it. It appears to actually be a lot more than a "scare story".