Gmail Security Flaw Proof of ConceptNovember 24, 2008 – 8:38 AM
Is it possible for someone to create a malicious filter without having access to your Gmail username and password? No, however, they can force you to create the filter without your knowledge.
The blogosphere is buzzing about a Gmail Security Flaw that has caused some people to lose their domain names registered through GoDaddy.
To understand how this exploit works let me first explain how I would carry it out (if I were a blackhat). Then we can move on and explain the exploit in detail. Let’s use a current example and assume that I was trying to steal MakeUseOf.com and I already knew it was registered by GoDaddy. Let’s also assume that I knew the owner’s Gmail address. I would want to create a filter like the one in the image above, where all email sent from GoDaddy Support was automatically deleted and forwarded to my email address.