Marcel Richter found a phishing vulnerability with Gmail/ the Google Account login. He contacted Google Security in May but the hole persists, and Google doesn"t reply to him.
Here"s how the vulnerability would appear to someone who doesn"t know about it:
You are seeing a link to log-in to email. The link is correctly pointing to Google.com
After clicking the link -- you"re still on Google.com -- you log-in (if you were already logged-in, you"d be skipping this step)
You"ll now receive a message that your password doesn"t match, so you"ll enter your credentials again
At step 3, the cracker now has your password -- because step 3 wasn"t a google.com domain anymore, but any other website which the abuser controlled.
>>
Source Link>>Blog:
Google Blogoscoped>>Publish Date: 8/8/2007 7:01:09 AM
>>Keywords: google vulnerability
Related Posts>>Netvibes Security Problems # There was some buzz recently in the French blogosphere: personalized homepage service Netvibes exposed a vulnerability that allowed one module developer to gain some access to Google accounts (through
>>Google Desktop XSS Hole Fixed # Using a cross-site scripting vulnerability on Google.com in combination with an installed Google Desktop program, web app security consultants Watchfire were able to overtake a user"s computer and tra
>>IE Vulnerability Allows Cookie Stealing # A security flaw in fully patched versions of Internet Explorer 6 and 7 allows an abusive site to override the so-called "same-domain origin policy." What this means is that, for instance, the attacker
>>Google"s Security Statement (They"re Armed!) # Ionut found a remarkable bit in a Google PDF titled "Comprehensive review of security and vulnerability protections for Google Apps." This is from the part on "Physical Security":
Google operates o
>>The Online Advertising Bubble: DoubleClick, aQuantive Deals Over-Priced? # Phil Wainewright has a compelling article on his ZDNet blog, arguing that the recent acquisitions of online advertising companies by the bigcos (Google, Microsoft, et al) is evidence that the current
>>Open Ads Receives $5 Million VC Investment # As has been reported in TechCrunch and on other places this morning, Open Ads has received a $5 million VC investment led by Index Ventures. The other firms participating included First Round Capita