 |
News Item |
0 |
|
|
It’s your worst nightmare – someone reads parts of your Google emails, views your docs, modifies your spreadsheets, checks out your reading habits on the Google personalized homepage or Google Reader, and goes through your search history.
Yet, by making use of a new Google security hole, Tony Ruscoe was able to do all that with my Google account.
Tony’s not a malicious hacker of course (in fact, the first thing he did was inform Google Security!), but he found a loophole in a new feature Google rolled out recently.
Using a proof of concept script targeting this loophole – which I can detail once it’s fixed –, all Tony needed to do was make a user who’s logged into their Google Account visit a page of his, which happened to be on a “trustworthy” google.com sub-domain.
I visited Tony’s page, which sent my Google cookies to Tony, which in turn enabled him to:
* Get into my Google Docs & Spreadsheets application and read and modify documents I saved there
* Read subjects from my Gmail inbox, as well as the first few words of these emails, by adding a Gmail module to the Google Personalized Homepage
* View my Google Accounts page
* Enter my Google Reader
more @ source.
|
»
full story @ source-link: ace
|
| Related Articles: |
»
Super Bowl Site Hacked with Trojan, Keylogger
»
Another Google Hole Uncovered
»
Google Security Hole Allows Account Hijacking
»
How to crash a Windows mobile using MMS
|
|
|
