Google Plugs Gmail Hole

Google has fixed a security flaw in its Gmail Web-based e-mail service that allowed attackers to hijack users' e-mail accounts.

"Google was recently alerted to a potential security vulnerability affecting the Gmail service. We have since fixed this vulnerability, and all current and future Gmail users are protected," Google spokesperson Nathan Tyler says.

Tyler declines to discuss the nature of the problem, but a source close to Google confirms that the flaw allowed an attacker to gain complete control over a user's account.

Stealing Cookies

The problem was in the way Gmail authenticated users. An attacker could steal a so-called cookie file identifying the user by making use of a seemingly innocent link to Google's own Web site, according to a report on the Web site of the Israeli publication Nana NetLife Magazine last week.

The cookie allowed an attacker to sign on to Gmail as that user from any computer without having to enter a password. The attacker would continue to be able to access the Gmail account even if the password were changed, according to Nana NetLife, which cites an Israeli hacker named Nir Goldshlagger.

An investigation by Google found that only a handful of Gmail users were victimized, the source close to the Mountain View, California-based company says.

Google announced Gmail in April, grabbing headlines because of the massive 1GB storage space provided with a Gmail account. The service is still officially in beta testing and Internet users can only get accounts after receiving an invitation from a current user. Google does not disclose how many Gmail accounts it hosts.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon