Serious cross-site request forgery vulnerability found in Gmail
Source : arstechnica.com
Security researcher Petko Petkov has revealed a cross-site request forgery vulnerability in Gmail that makes it possible for a malicious web site to surreptitiously add a filter to a user’s Gmail account that forwards e-mail to a third-party address. Petkov’s proof-of-concept exploit for this vulnerability, which has been independently verified but not publicly released, uses a multipart/form-data POST to send instructions to Gmail’s internal API. The vulnerability can only be exploited when the user is currently logged in to the Gmail service.
