Comments on: Gmail exploit may allow attackers to forward e-mail

A security vulnerability in Google's Web mail program may allow an attacker to set up filters on users' e-mail accounts without their knowledge, according to a proof of concept.

[Hunnter2k3]

Now that is a rather interesting exploit.
And from a phishers perspective, a much better way of getting information without actually stealing the account.

I guess the most obvious, and easiest, way Google could combat this would be to improve on the already fairly useful "Last activity" feature.
If any settings were changed in the past 5 sessions with Gmail, always show it, highlighted if they have to.
And with the Detail window, have a tree structure of activity per session, maybe even have an undo next to applicable items.
It would be pretty helpful IMO.

[dcrappell]

Wouldn't the HTTPS option stop this exploit as well?

[Nightwatch79]

Nope, check out Backtrack 3 on google. It can read your cookies even with https on!

[Mr. Dee]

I hope this puts the sanity back in every CIO's brain who was considering a jump from Exchange to the new kid on the block.

[Nightwatch79]

Yea,like exchange isn't full of exploits.... yea right!

[Nightwatch79]

Nope, check out Backtrack 3 on google. It can read your cookies even with https on!

[Michichael]

Go go NoScript!

And yes it's an exploit, but one that depends on tricking the user into giving you that information without their knowledge. Not very effective.

[MattCutts]

Just fyi, it looks like this issue was due to phishing, not any flaw in Gmail. The Gmail team has posted more information here: http://googleonlinesecurity.blogspot.com/2008/11/gmail-security-and-recent-phishing.html

[Palaminopony]

Was checking the spam and found my gmail account being used as a front for 3 spammers... ???
fijfel1988@westworld
.com

Varun-musaeus@intehp
last.ru

irduzrov_1987@778sof
tware.com