Gmail Flaw Makes Phishing Easy
A proof-of-concept hacking demonstration shows, once again, that there's no such thing as a "small" security flaw. In this case, Gmail contains a crack in its wall which allows phishers to squeeze in and spoof outside pages with which to nick your login details through a frame injection attack. Sounds nasty, huh?
This is why white-hat hacking is a good thing: what if the bad guys found this first?
A proof-of-concept (PoC) attack, published by Adrian Pastor of the GNUCitizen ethical hacking collective, exploits a weakness in the google.com domain that allows him to inject third-party content into Google pages. The result is this page, which allowed him (at time of writing, anyway) to display a fraudulent Gmail login page that displayed mail.google.com in the browser's address bar.
So what's the big deal? "One small XSS [cross-site scripting] issue in Google Maps can now be exploited to hijack Google, GMail, or Google Apps accounts, by bypassing the browser's Same Origin Policy," Raff explained here. In other words, combined with another seemingly inconsequential flaw, it can be enough to steal a Google user's login credentials.
Raff says he notified Google about the problem shortly after he identified it in April and that Google said the issue was being investigated.