Vulnerabilities in Gmail, Picasa, and Google Search Appliance

The Webosphere is buzzing with news of vulnerabilities in Gmail, Google's immensely popular Web mail service. The new vulnerabilities let hackers set up a kind of back-door entry into a user's account that could lead to the forwarding of e-mails to another e-mail address. More vulnerabilities have also surfaced in Google's Search Appliance and Web album service Picasa.

Technically termed the Cross Site Request Forgery (CSRF), the Gmail hack causes a new filter to be added to the user's Gmail account that can be used to manipulate e-mails (Wired). Hacking of Web mail accounts presents a scary scenario, since many e-mail accounts are a central repository for personal and financial information. There are cases where users' e-mail account have even been held ransom (WebProNews).

A quote from the article at PC World:

According to Petkov, who declined to release details about the vulnerability, attackers can use Gmail's filtering feature to exploit the bug. An attack, he said, would start with a victim visiting a malicious Web site while also still logged into his Gmail account. The malicious site would then perform what Petkov called a "multipart/form-date POST" -- an HTML command that can be used to upload files -- to one of the Gmail application programming interfaces, then inject a rogue filter into the user's filter list.

Google is reported to be working on patching the attack (SC Magazine), but that does not mean that the back doors that are already installed are removed.

And another report from Heise-security states that a series of attack methods can be used to steal pictures organized using Google's picture gallery software Picasa from users' hard disks. The flaw takes advantage of Picasa's URI registration feature and lures users to click on links on a malicious Web site. The report also talks about vulnerabilities in Google's Search Appliance (Search Engine for enterprises) and Google Urchin.

A quote from the article at Register:

A Google spokesman said the company had recently become aware of the flaw in its search appliance and would offer more details about a fix after a more thorough investigation. Google officials are unaware of the vulnerability being targeted in the wild.

The convergence of data on the Web with a greater collage of Web sites and services means that the vulnerabilities get mixed and mutated. The recent spate of possible attacks raises the question as to whether software makers can secure all loopholes or if the Internet needs a total restructuring from the security perspective?