Google plugs security hole in Google Apps Script API

22 Nov 2010

According to tech blog, TechCrunch, a 21-year-old Armenian calling himself "Vahe G" has discovered a way of sending spam to Gmail users, just by letting them visit an exploited webpage.

TechCrunch reports that it confirmed the vulnerability by visiting an affected page on Blogspot, Google's blogging platform, while they logged into Gmail and received an immediate email from Google's servers.

According to security experts though, this amounted to little more than mischief, it could have been exploited by more malicious hackers to spread the typical money-making spam which we see often or to distribute malware or a phishing attack.

They say users might be lured by a link that could be seen to come from Google and end up putting their personal data in danger.

Google seems to be concerned over the issue and is said to be rolling out a fix.

Google says, '' We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to security@google.com.''

Nevertheless, security issues of the kind are a real concern as an increasing number of people rely on email communications and their webmail providers are required to deliver a reliable, filtered inbox. They add it was a serious security hole.