14 DAY TRIAL // A new security hole was discovered in the Gmail protection system by Marcel Richter in May but it seems like the folks from Googleplex ignored the message and avoided fixing the flaw. Let me explain the exploitation procedure as it is described by Philipp Lenssen from Google Blogoscoped. While you are browsing the Internet, you see a weblink to login into your Google account and obviously, you click on it.
You're then redirected to a Google page that requires you to enter your username and password or, even if your details are saved by the browser, you skip over this step. This is the moment when you're in danger. According to the blogger, you receive a message that the password is wrong so you're required to enter the information once again. Obviously, the hacker steals it and is now able to access your account.
"What happened here is that Google allows you to add a parameter when you link to Google Account login pages. This parameter describes the follow-up page the user should be automatically led to once they've successfully logged-in. Google is smart enough to only allow certain values for this parameter, but there's a hole in this defense," Philipp Lenssen wrote.
He also added that he already contacted the Mountain View company to inform them about the security hole so it seems like we're now protected from successful exploitations of the vulnerability.
As you can see, the entire attack works like a phishing attempt so, if you want to remain 100 percent secure, you should often check the URL of the webpage you're currently on. For example, you can avoid the last step of the exploitation, the one requiring you to enter the password one more time, by checking the website address in the browser that is usually different from the original ones provided by Google.