Google plugs Gmail security hole

Three days after ethical hacker Petko Petkov announced his discovery of a cross-site scripting vulnerability in Gmail, Google says it has fixed the problem.

"We worked quickly to address the recently reported vulnerability, and we have rolled out a fix," a Google Australia spokesperson said today.

The vulnerability discovered by Petkov, who posted his findings at the GNUCitizen website, could potentially have allowed an attacker to seize control of session cookies if a user clicked on a malicious link while logged into their account.

Under the scenario, an attacker could siphon emails from the hacked account to a separate POP account, Chris Gatford, from penetration-testing company Pure Hacking, explained on Wednesday.

"If someone picks up on this before Google fixes it — or if someone knew of the vulnerability before this guy published it — this could be very damaging to Gmail users," Gatford said.

However, Google's spokesperson said the search giant had not received any reports of the vulnerability being exploited, and added: "Google takes the security of our users' information very seriously."

Pure Hacking's Gatford said cross-site scripting vulnerabilities are gaining popularity amongst attackers and that many organisations are overlooking the problem.

"In the last year or so, [cross-site scripting vulnerabilities] have been used by attackers to grab cookie values and therefore gain access to normally password-protected sites," said Gatford.