Google has fixed a potentially damaging vulnerability in its Web based Gmail email service. Gmail users risked exposing personal information to hackers when they sent out email according to the Unix community site HBX Networks.
The issue arose when Gmail read ‘From:email@example.com’ in a message. If the trailing ‘>’ was missing, Gmail will continued to read on until it until it encountered one, which may have included sensitive information not intended for the recipient.
Whilst researching the flaw, the HBX investigators found that by clicking the ‘Show options’ link, the ‘Reply To’ field in the email header that GMail displayed someone’s HTML-formatted email message.
Google has now said that the problem has been fixed. As the problem lay at the server level, users can rest assured that their data has been secured. However, the Gmail flaw is the latest in a series of embarrassing vulnerabilities found in Google software.
Google said the problem was fixed on Wednesday, shortly after the HBX Networks report appeared. “At 10:15am PST mails with
the problematic formatting as described in your previous story stopped being accepted into Gmail. Previous e-mails that had
this problem will also no longer will be accessible. We appreciate your patience and we’re sorry about the bug,” said Chris
DiBona, Google’s open source program manager, in an e-mail to the tech discussion site Slashdot. He urged users to report
security bugs to firstname.lastname@example.org.
HBX expressed concern that other such bugs might exist. “The appearance of this issue, at the user level, probably indicates
a failure in GMail’s code review and/or quality assurance standards, which may result in other, similar errors,” the group
While it is technically still in beta-testing, Gmail has become one of the most popular Web-based e-mail services since its
launch in April, and has begun to come under the same scrutiny as other Google services. Last month, for example, Google fixed
a flaw with its desktop search that could have allowed hackers to search the contents of a PC.
Security problems are nothing new to Web e-mail. Last March, shortly before Gmail’s launch, IT security firm GreyMagic Software
demonstrated that scripts could be run in Hotmail and Yahoo’s Web e-mail, bypassing scripting restrictions. Scripts embedded
in e-mail messages could have been used to steal passwords or spread worms, researchers said. The problem has now been fixed.