Google has fixed a vulnerability in their Gmail web based email service which would have allowed internet attackers to steal mail messages from users without being noticed.
The technique used by this exploit is known as CSRF (Cross-site Request Forgery) and is becoming an increasingly common method to attack web applications. If a web application is vulnerable to CSRF, it will allow unauthorised attackers to carry out arbitrary actions in the context of an authorised, logged in user of the application. Not only does this make a hacker’s life easier, but it also helps them to cover up their tracks, as malicious actions will appear to be carried out, unwittingly, by authorised users of the system.
Compromised webmail accounts are regarded as a valuable commodity by hackers, as they often contain information that would allow an attacker to gain unauthorised access to other systems, such as internet banking, and to harvest credit card details from online stores used by the victim. Because the attacker is now effectively in control of their victim’s email, they could also attack other accounts belonging to the victim by following “forgotten password” links and obtaining the relevant passwords via email.
Cross-site Request Forgery vulnerabilities are often difficult to identify using automated tools and typically require testing by security aware developers.