Bullseye on Google: Hackers expose holes in GMail, Blogspot, Search Appliance

[ UPDATE, October 1, 2007:  Google has issued a fix for this issue.  It's important that you check your filters to ensure your mailbox isn't compromised ]

Google's security model is not holding up very well to scrutiny from hackers.

In the past few days, there have been multiple disclosures of security vulnerabilities in a wide range of Google products, including a persistent e-mail theft issue affecting the widely used GMail service.

The unpatched GMail bug, which was demonstrated for me by hacker Petko D. Petkov, is particularly nasty because of the way the exploit works without any user action and the fact that it's difficult for the average GMail user to know that e-mails are being stolen.

The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim's filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

The attack technique is known as cross-site request forgery (CSRF) and has haunted Google in the past. Earlier this year, the company was forced to correct a similar flaw after details leaked out on an issue that put GMail contact lists at risk.

Google Search Appliance users at risk:

Separately, a Romanian security researcher has published details of a cross-site scripting bug affecting users of the enterprise-facing Google Search Appliance.

Mustlive, the hacker behind the Month of Search Engine Bugs project, published a proof-of-concept and a Google dork to demo the attack -- and expose businesses using the search appliance.

Google (Blogspot) Polls vulnerability

A third issue has been disclosed at Beford.org to show how a cross-site scripting bug in Google's Blogspot Polls could allow the hijacking of sensitive information.

The 'font' parameter was not being sanitized before being used inside an STYLE tag, so you could inject IE's expression() and Mozilla's -moz-binding.

Several proof-of-concepts -- this one hijacks your Google contacts, this one intercepts incoming GMail -- are publicly available. (IMPORTANT NOTE: clicking on those links while logged into Google Accounts might not be such a good idea).

An exploit against Picasa

Google's Picasa photo-sharing software and Web service is also vulnerable to an exploit scenario that uses a combination of cross-site scripting, cross-application request forgery and URI handler weakness to steal photographs from the victim's hard drive.

Technical details of the Picasa issue have been released by Billy Rios and Nate McFeters.

Finally, there's a cross-site scripting bug in Google's Urchin Analytics service that can be exploited to steal user credentials. An explanation of this vulnerability has been published by Adrian Pastor.