A Gmail security vulnerability can allow an attacker to create a malicious filter without having access to your Gmail username and password? No, however, they can force you to create the filter without your knowledge. According to geekcondition. This new Gmail Security Flaw caused some domain owners to lost their domain names registered with GoDaddy including MakeUseOf and many other domain names are steeled due to this Gmail security vulnerability.
How This Gmail security vulnerability can be utilize by an attacker[via Gmail Security Flaw Proof of Concept]
When you create a filter in your Gmail account, a request is sent to Google’s servers to be processed. The request is made in the form of a url with many variables. For security reasons, your browser doesn’t display all the variables contained within the url. Using FireFox and a plugin called Live HTTP Headers, you can see exactly what variables are sent from your browser to Google’s servers.
*Unique Account Identifier*
*Session Authorization Key*
Through a process of elimination you can determine the role of each variable. I have highlighted the two most important variables, ik & at. The ik variable is the equivalent of a username, each account has one and it never changes. Obtaining this variable is tricky but possible. I’m not going to tell you how to do it, if you search hard enough online you’ll find out how.
Obtaining the at variable on the other hand can be done by tricking a user into visiting a page that contains malicious code that subsequently steals a cookie from the user called GMAIL_AT which is the same as the at variable, just named differently. Once the cookie is stolen the malicious code creates a hidden iframe with a url containing the variables that authorize Gmail to create a filter for your account.
Currently the scope of at variable is session Gmail has to change the scope from session to request. As a Gmail user you need to be careful and keep an eye on things and make sure that nothing seems out of the ordinary. If you are accessing Gmail via Firefox then it’s better to install a Firefox extension called NoScript