Welcome to WebmasterWorld Guest from

Forum Moderators: open

Message Too Old, No Replies

"Serious Security Flaw" In Google's Gmail: Potential Spamming Machine

3:14 pm on May 12, 2008 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
votes: 292

A "serious security flaw" in Gmail turns Google's e-mail service into a spamming machine, according to a recent security report.

INSERT, the Information Security Research Team, has created a proof of concept that exploits the "trust hierarchy" that exists between mail service providers. By exploiting a flaw in the way Google forwards messages, a spammer can send thousands of bulk e-mails through Google's SMTP service, bypassing Google's 500-address bulk e-mail limit and identity fraud protections.

"Serious Security Flaw" In Google's Gmail: Potential Spamming Machine [news.com]

9:54 am on May 14, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 5, 2002
votes: 0

I was interested in this, as I have been looking at how "news" is disseminated. Most of it is "spun" by commercially involved parties to lazy journalists who like a "scare" story. Interestingly this story is genuine, rather than manufactured "scare" stuff.

1. Who on earth are "INSERT". These sorts of groups are usually industry PR operations to scare the hell out of the readers. This lot appear genuine "Information Security Research Team (INSERT), a joint research group effort of the University of Puerto Rico at Mayaguez (USA) and the State University of Ceara (Brazil).

2. They have a good update on it here [ece.uprm.edu]

"Due to the unexpected media impact of our report on Gmail's recently found flaw, we felt inclined to give a little update on the issue.
As of 3:00 PM (GMT -0400) today, the flaw we have reported remains unpatched and exploitable. We have ran a new experiment where we were able to use our attack to send 2,000 messages using one Gmail account.
We would like to clarify to the security community that we have contacted Google about the issue more than a week ago and no response was provided despite our clear intent of cooperation regarding this matter. "

Sort of worrying that Google stick their head in the sand and don't even reply to academics who apparently do not have an axe to grind.

They tell the whole story including what they have done, how they did it, and the scale of it. It appears to actually be a lot more than a "scare story".


Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members