Jul 20, 2008

Gmail vulnerability being exploited by spammers

I knew something was fishy, when I started getting emails from my father inviting me to desktopdating.net. Doing a closer inspection of the email properties, I found it was not sent from Gmail, but from desktopdating.net.

There have been quite a few cases of emails being sent in the name of Gmail (Google Email) users to their contacts which have not been authored by the holders of those Gmail accounts. Known websites that have beeing using this technique are desktopdating.net, yaari.com & gazzag.com. These websites send invites and other spam in someone else's name to their contacts. An easy way to spot such a false email is to see the details or properties - it will show the from address as someone@gmail.com, but the mailed by server will not be gmail, for example it may be desktopdating.net.

These sites have also been mentioned in a blog post of 'Ill-mannered websites'.

If you can, block or filter these websites in your email accounts, web servers an any other online channels. If you have become a member on these, I would strongly recommend that you unregister and remove any personal or social contact details. Finally, if you do recieve any email mentioning links to these websites, do not click on any of these links, as that will start a program that attempts to read through your entire contact list and store it for spamming purposes. Simply delete such email, marking as spam may be tricky as that may block the email address.

Gmail vulnerability

Gmail used to carry all the contact address for an account in its active Javascript for a logged-in email account. Other sites found that in today's multi-tab browsers, if a user is presuaded to visit another web page while keeping their Gmail accounts open, it would be possible to extract those contact list addresses from the Javascript using the new web page. There is more information on this vulnerability in this blog post - GMail Vulnerable To Contact List Hijacking.

Though this vulnerability has since been fixed by Gmail, in the time window that was open some spammers had been able to harvest and collect contact lists for many email holders.

1 comment:

Prabu said...

hi a lot of websites are doing this , they ask for your gmail/yahoo / aol id and password in pretex of adding your friends automatically and then send spam from your in box.face book also does it but the worst is Yaari