Vulnerability Allowed Hacker to Send Emails in Google's Name

An Armenian hacker demonstrated a serious security issue in Google Apps over the weekend, which allowed him to harvest email addresses from Gmail users and send them very credible messages in Google's name.

The attack was demoed through a specially crafted Blogspot page. Any user logged into Gmail who visited this page, immediately received an email appearing to originate from the company.

According to Graham Cluley, a senior technology consultant at antivirus vendor Sophos, what's interesting about this is that the rogue emails did not have forged headers.

They came from a noreply@google.com address, through maestro.bounces.google.com and were signed by google.com, making them very suitable for phishing.

One attack scenario would involve spreading a link to the Blogspot page through Facebook by promising an intriguing video or using some other lure.

The visitors who are logged into Gmail would then receive an email crafted as a security alert from Google, which would direct them to a phishing page mimicking the sign in page.
 
The details of the vulnerability have not been publicly disclosed and in an email to TechCrunch, the hacker, who presents himself as a 21-year-old Armenian named Vahe G., said that he doesn't want people to find out out how it was done.

He also mentioned that he tried getting in contact with Google prior to demonstrating the exploit, but the company did not get back to him.

This is strange considering the company is now offering bounties for serious vulnerabilities found in its Web services. This bug could have earned Vahe $500 or more if he would have reported it through the proper channels.

The search giant confirmed the existence of the flaw in its Google Apps Script API and said that it was quickly dealt with.

"We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account," a Google spokesperson told TechCrunch.

"We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to security@google.com," they added.