Gmail 'vulnerability' turns out to be phishing scam

Reports that a purported Gmail vulnerability was being used by unauthorized third parties to hijack domains turned out to be nothing more than a phishing scam, Google announced Tuesday.

The alleged vulnerability reportedly allowed an attacker to set up filters on users' e-mail accounts without their knowledge, according to a proof of concept posted Sunday at the blog Geek Condition. In the post, Geek Condition's "Brandon" wrote that the vulnerability had caused some people to lose their domain names registered through GoDaddy.com.

However, after consulting with those who claimed to be affected by the so-called vulnerability, Google determined that they were victims of a phishing scam, Google information security engineer Chris Evans explained in a blog:

Attackers sent customized e-mails encouraging Web domain owners to visit fraudulent Web sites such as "google-hosts.com" that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we've seen are now offline. Once attackers gained the user credentials, they were free to modify the affected accounts as they desired.

A Google representative contacted me early Monday to let me know the company was trying contact "Brandon" to get more information on his claim, but there was no word whether that blogger helped Google arrive at its conclusion. As of this writing, the blog has not been updated to mention Google's finding.

While this security breach was apparently unrelated to Gmail's operation, Google reminded users to enter Gmail sign-in credentials only at Web addresses starting with "https://www.google.com/accounts," and not to ignore warnings their browsers may raise regarding certificates.

[mementh]

roflmao for google mail it has issues with the ssl for https://gmail.com which is using https://mail.google.com 's ssl cert.. cheap %#&@

[canberra_photographer]

strange, both URLs resolve to a Google.com domain with the Verisign certificate working fine.

[RickyFr]

The bad PR is Google's own fault. They do not have any way for Gmail account holders to talk to someone at Google to fix issues. Google is a black hole when it comes to communications with their subscribers. They have no real customer support so when bad things happen, they will be blamed. Perhaps correctly, perhaps not.

[close5828]

Agreed. I have a Gmail account but I only use it for Google Talk; my friends/contacts that use Gmail can't understand why I refuse to use it for my e-mail, and stick w/ my current host (Yahoo).

Whatever Yahoo (or even Hotmail) is or isn't, they don't use e-mail "content" for marketing--this has danger written all over it. I'm not a privacy expert or anything, but the "trust us" approach that Google has used with Gmail really turns me off. When I open my e-mail on Yahoo or Hotmail, I can see advertising; it's a necessary evil, but it's what keeps my account free so I accept it. However, I do not like or accept that my e-mail's content...the actual words...are being read/used to market information to me. Some see this as being not a problem b/c it's automatic (like a spam filter) but a spam filter is built to keep stuff out, not bring stuff back in. Sorry, this, along with Google's inability to really address it's customers concerns still has me turned off on them.

While I'm no fan of Yahoo or Hotmail, you can contact either one of them about issues w/ your account (free or otherwise) and they will respond. To date, I've never been able to find a way to e-mail Google about issues w/ Gmail unless it was something catostrophic (ie. account theft).

[Lobout]

RickyFr what do you expect from a FREE service. Do you expect them to have a 24x7 support desk for something that they make absolutely no money on to begin with. What planet are you from? Google is in business to make money not give it away. Yes they have issues, but if you want customer service then maybe you should use a pay service where you have support options.

[aka_tripleB]

What are you talking about making absolutely no money from GMAIL? Isn't Google's entire business model based on free services and revenue from ads? You can't hide behind, "Well, it's a free service and that's why tech support sucks" when that is the business model you choose to go with.

[AppleSuxLeo]

GoDaddy must be a POS since Dale (I aint no Dale SR.) Jr. makes ads for it.
Also flat-as-a-board lil munchkin Danika makes ads for it too , so there you go.