Gmail Bug Exposes E-mails to Hackers
UPDATE Google has squashed a bug discovered by UNIX developers HBX Networks within Gmail that allows access to other users' personal e-mails. By altering the "From" address field of an e-mail sent to the service, hackers could potentially find out a user's personal information, including passwords.
Quick to respond, Google acknowledged the problem late Wednesday and has since corrected the problem for all users, a company source said.
At first glance, to the average user the e-mail would appear normal. But by clicking "show options" within the Gmail interface, the "Reply-To" field will show HTML code that is actually a formatted version of another user's e-mail, HBX wrote on its Web site.
HBX said that they think a missing character is tripping up Gmail and causing it to print whatever is in its cache, or memory, into the Reply-To field. The group did say much of what they saw was spam. However, what troubled them was in at least one case they were able to see a user's password.
"Regardless of the specific failure, the result is a compromise of the privacy of communications over Gmail," the organization said. "Usually, this only permits an attacker to examine recently-arrived spam in random user's inboxes - but message content does occasionally become more interesting."
The group urged Gmail users to contact Google and demand the problem be fixed, and warned about using the service for personal communications.