Like a lot of people, I stay signed into Gmail while surfing the Web. But a security hole — one that has since been closed — revealed that even this innocent practice was a vulnerability. A hacker built a site that, when visited, harvested Gmail addresses of anyone logged into the free e-mail service. That makes me a little nervous.
TechCrunch's Michael Arrington found out about the exploit, which e-mailed people at their Gmail accounts after they visited a now defunct Blogspot (Google) site.
Arrington admits that he doesn't think this is a malicious or lethal bug, but it exposes a vulnerability within Google that "a lot of people would love to have on their own sites. The ability to harvest emails from anyone already signed into Google, not to mention just see exactly who’s visiting the site, is extremely valuable."
In updates, Arrington shared confirmation from Google and a resolution:
"We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to email@example.com."
The creator of the site, self-identified only as "Vahe G. (Armenian 21yrs guy whom Google doesn’t wanted to even talk to)," contacted Arrington. From his e-mail, it looks like he just wanted to challenge the assumption that "big companies act like they all really protect our privacy and such." In fact, he's glad Google shut down his site.
"I really don’t want people to know about how that was done (if Google contacts I will definitely tell them — they just don’t answer my emails). Problem relies solely on Google," he wrote Arrington.
For some reason, that doesn't make me feel any better.