Yesterday, we reported on an unholy trinity of Google vulnerabilities that put emails, private photos and website security at risk. Today came word of a new weakness that makes it easy for bad guys to silently put a backdoor in Gmail accounts.
The technique comes courtesy of Petko D. Petkov, a researcher at GNU Citizen, who writes in a blog post that the backdoor is installed simply by luring a victim to a specially crafted website while logged in to Gmail. The naughty site uses a slight of hand known as a multipart/form-data POST, which writes a filter to Gmail that causes all email with attachments to be forwarded to email@example.com.
Petkov didn’t provide a proof of concept or detailed documentation, but Ryan Naraine of the Zero Day blog writes here that the exploit was demonstrated for him. The bug “is particularly nasty because of the way the exploit works without any user action and the fact that it’s difficult for the average Gmail user to know that emails are being stolen,” he writes.
Users aren’t likely to notice a filter has been added unless they think to check the “Filters” section of their Gmail Settings.
A Google spokesman said company bug hunters were looking into the report.