GMail backdoor patched, time to check your filters

GMail backdoor patched, time to check your filters

Summary: Google has confirmed -- and I've verified -- that a fix for GMail has been distributed to block a flaw that allows hackers to hijack e-mail messages.

SHARE:

GMail backdoor patched, time to check your filtersGoogle has confirmed -- and I've verified -- that a fix for GMail has been distributed to block a flaw that allows hackers to hijack e-mail messages.

The cross-site request forgery exploit, discovered and partially disclosed by GNUCitizen's Petko D. Petkov, gave attackers an easy way to plant GMail filters to forward incoming mail to a third-party (hacker-controlled) e-mail address.

Even after Google's fix, GMail users are strongly encouraged to check their filter lists because the patch does not remove the rigged filter.

[ SEE: Bullseye on Google: Hackers expose holes in GMail, Blogspot ]

Remember, GMail filters are not the same as labels, which appear on the left pane of the GMail interface.

First, click on Settings in the top-right corner and then the Forwarding and POP tab to ensure that e-mail forwarding is either disabled or not hijacked to send your e-mail elsewhere.

GMail backdoor patched, time to check your filters

Then, in the Filters tab, look carefully for any strange filter that may compromise your mailbox.

Topics: Collaboration, Browser, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Firefox/Noscript

    It's warrants repeating--Gmail who aren't already doing so might want to consider using Firefox along with addon NoScript[1].

    Also, don't leave yourself logged into Gmail and be sure you've set up a 'strong' password.

    Aside from the Javascript 'backdoor' issue highlighted by Ryan, I've taken the added precaution of using POP with SSL to receive all Gmails to KMail (a Linux KDE mail client) which by default treats HTML as 'raw' text and so doesn't trigger any Javascript. Kmail includes a preprocessor custom 'Filter' in which I pipe the inbound SMTP stream to SpamAssassin. Seems redundant until you see it has done its work. SpamAssassin isn't hard to set up and it is FREE.

    Safe surfing Folks.

    ==========
    [1] Your other options include globally disabling Javascript but that will effect all sites' functionality--NoScript will allow you to override and select which sites you trust.
    D T Schmitz
    • I use gmail through pop only

      The only time I go to gmail is when I'm changing my settings.

      (or checking them :D )
      Resuna
  • RE: GMail backdoor patched, time to check your filters

    Could someone construct a filter that would only forward the junk mail to the hijackers? If they want my email, they can have all the junk mail they want.
    stephen.schneider@...
  • RE: GMail backdoor patched, time to check your filters

    A <a href="http://www.hostseeq.com/c/web_design.htm">web design</a> serious Gmail account hacking <a href="http://www.hostseeq.com/c/merchant_accounts.htm">online payments</a> backdoor, has been found in the popular mail archiving software G-Archiver. This application, in all its innocence, allows you to download and backup all emails from your gmail account. But apparently the developer included the code to send an email to his email ID with all usernames and passwords.
    royalmad