According to a report on the TechCrunch newswire, a 21-year-old Armenian calling himself 'Vahe G' has apparently uncovered a method of sending spam to Gmail users, simply by getting them to visit an exploited web page.
Although the precise methodology has not been identified by the security community, the problem appears to centre on Blogspot – the Google blogging platform – whilst a user is logged into Google and its Gmail service, as most users tend to be, Infosecurity notes.
The flaw identified by Vahe G allows him to generate an immediate email from Google's servers, without any need for email header spoofing or similar trickery.
The exploit seems more mischievous than anything else, but as Sophos' senior technology consultant Graham Cluley observed in his security blog over the weekend, "more malicious hackers could easily have exploited the vulnerability to spread the typical money-making spam we often see or to distribute malware or a phishing attack."
Users, he says, might be much more likely to click on a link if they saw it really did come from Google, and could put their personal data in danger.
Within hours of the flaw being highlighted on TechCrunch, the potential problem was fixed, with a statement being issued by Google noting:
"We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to security@google.com."
According to Sophos' Graham Cluley, meanwhile, security issues like this one are a real concern as more and more people rely upon email communications, and their webmail providers to deliver a reliable, filtered inbox.
"This was a serious security hole", he said.