A site that grabs your GMail address

[vasa1]

Whoa, Google, That’s A Pretty Big Security Hole

Quote:

If you’re already logged in to any Google account (Gmail, etc.), and visit that site, he’s harvested your Google email. And proves it by emailing you immediately. ...

And it even works in “incognito” mode (also known as porn mode).

In edit: that site is now down! and the problem fixed (for now).

Quote:

Google says the issue is now resolved: “We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to security@google.com.”

[Cudni]

Good that was fixed quick. What other are left I wonder.

[m00nbl00d]

Maybe this sounds like a stupid question, but it was not mentioned whether or not you had to be signed in within the same browser session? Would it be possible for it to happen, even if having Gmail open in a different session (same or different web browser)?

[Cudni]

maybe more will be revealed later and the moment it seems a bug was in google api (maybe not checking access correctly). that blog site itself is part of google

[culla]

t happens in hotmail too

[Cudni]

Quote:

Originally Posted by culla

t happens in hotmail too

what does

[SweX]

Scary stuff indeed .

But I do always log-out when ever I am done with my email account or any other account for that matter to be sure something like this won't happen.