Chicago (IL) - A recent post on GeekCondition claims that a Gmail vulnerability, that was supposedly repaired actually was not, and your account could potentially be vulnerable to hijacking and malicious attacks.

In December 2007, David Airey was a victim of this exploit when his website was hijacked. Google claimed to have repaired this vulnerability, however it apparently still exists.

It all starts when you are logged into your Gmail account and visit a malicious website. It does not matter whether you have clicked the link via your Gmail account or not, the malicious site is capable of accessing your internal credentials.

Instantaneously and without your knowledge, the malicious site is able to create an automatic filter that diverts your e-mail to a different e-mail account. You can view a detailed description of this at GeekCondition: Gmail Security Flaw Proof of Concept.

Not only can the exploit gain access to your private e-mail, it is also capable of compromising all future e-mails from your account.

In the event that your Gmail details are registered as the contact details for any domain registrations, then your domain can also be hijacked and held to ransom by the use of account recovery and password resetting tools on your host account without your knowledge or permission.

What can you do about this? You can check your e-mail filters and make sure that IMAP is disabled. Don’t use Gmail as your contact e-mail for any information that is sensitive. You should also change the e-mail details on any sensitive accounts you might have. When you register a domain, make sure you upgrade to a private registration. Do not open e-mail links unless you know the individual who sent it.

Another good idea is to encrypt your browser connection, a feature that is actually available on the main settings page in Gmail.
Google has not yet commented on the issue. For now, it is up to you to protect yourself.

Encrypting urself

Nov 25, 2008 08:09     

well before the thread goes on a rant of who knows what, what do you folks feel is the best browser and security combo you can go with for protecting yourself? myself its nod32 antivirus, spybot s&d, atf cleaner, firebox firewall, and ie 7 here. what u folks all using?
Andrew report abuse vote down vote up Votes: -2

Use the cloud!

Nov 25, 2008 11:51     

They say
nke report abuse vote down vote up Votes: +0

I use IMAP: can't just disable...

Nov 25, 2008 12:25     

I use IMAP everyday and I can't just disable it. POP just doesn't do the job. I own my own domain through yahoo, just have everything forwarded to Google as Gmail fixes all my spam problems yahoo could not. I use firefox w/NoScript plugin. Zonealarm Security Suite, and even use Untangle Security Gateway among the anti virus and firewall, it can block you accessing suspicious sites, but asks you are you sure you want to go there... While on yahoo, someone was spoofing my domain and spamming the world. I would get automatic emails from the SPAM blocker/firewalls telling me to stop emailing everyone. I really don't need any more problems with my email... Am I protected enough to stop these websites from getting into my account?

EyeCU report abuse vote down vote up Votes: +0

use postini

Dec 09, 2008 19:57     

buy postini from our webstore and you wont have this problem. www.devnetapps.com
David report abuse vote down vote up Votes: +0