Google fixes Gmail 'ethical hacker' vulnerability

Three days after ethical hacker Petko Petkov announced his discovery of a cross-site scripting vulnerability in Gmail, Google says it has fixed the problem.

"We worked quickly to address the recently reported vulnerability, and we have rolled out a fix," a Google Australia spokesperson told ZDNet Australia today.

The vulnerability discovered by Petkov, who posted his findings at the GNUCitizen Web site, could potentially allow a attacker to seize control of session cookies if a user clicked on a malicious link while logged into their account.

Under the scenario, an attacker could siphon e-mails from the hacked account to a separate POP account, Chris Gatford, from penetration-testing company Pure Hacking, explained to ZDNet Australia on Wednesday.

"If someone picks up on this before Google fixes it -- or if someone knew of the vulnerability before this guy published it -- this could be very damaging to Gmail users," Gatford said.

However, Google's spokesperson said the search giant had not received any reports of the vulnerability being exploited, and added: "Google takes the security of our users' information very seriously."

Pure Hacking's Gatford said cross-site scripting vulnerabilities are gaining popularity amongst attackers and that many organisations -- including Australian Federal Government departments -- are overlooking the problem.

"In the last year or so, [cross-site scripting vulnerabilities] have been used by attackers to grab cookie values and therefore gain access to normally password protected sites," said Gatford.