Gmail Plus or Google Danger?


Via The Full Discolsure Email list I became aware of Eric's Blog where he leads us to a new Google Service. Gmail Plus

The Gmail plus site says:

New! Gmail Plus Service is here
Gmail, meet Orkut. Gmail Plus (or Gmail+, as we like to call it) is the evolutionary next step for Gmail. With just one click, you can not only check your email, but meet new people at the same time. Connecting with other people has never been easier

Except the Gmail plus service is actually fake and been put together by a persitent code insertion flaw (Not just XSS but any content) that allows users to host a customised search service on the Google domain.

The Public Service service from Google is currently down with an error message, while I am sure they are fixing this, but unfortunately some more bad press for G is imminent from this particular flaw, but I must stand by my previous thoughts that "shit happens" and "what matters is how quickly it gets fixed" and G seem to be fixing it, but PLEASE take the Gmail Plus service down



that is scary



Known for weeks now

This has been known for weeks/months now. Not the script-kiddy GMail Plus thing...

I've actually seen people get tons of links from and do exceptionally well. We're talking unknown to top 500 Alexa rankings in a few weeks. Generally nothing but highquality scrapers based on generally on male enhancement or loans get this treatment, as every one knows you're pretty much going to be blacklisted sooner or later.

Hint: A while back TW pointed out a few spam sites that had advanced in traffic quite scarily...

it's funny

cause i think thats not the only one out there :)


Only one?

Ha! ha ha!

No, this is the most outted one specific to the flaw, because it is so ostentatious. This is the first not-directly-for-profit one I have seen, however.

From the site:
You (could have) gotten served!
test = username you entered
test = password you entered No data was actually taken, just displayed to you :) This is just a proof of concept of what a malicious user could do with this exploit.

Clearly, this is some fringe-hat who hangs around a few top notch blackhats and decided to 'out' it. Here's to hoping Google rewards him. (if they find him, they'll probably press charges, however... which goes to show, script kiddies...if you find a real exploit, submit it privately, wait 6 months, and then submit a press release with YPN on the page, or sell the knowledge to some one who will know what to do with it).

This has been known for

This has been known for weeks/months now

Indeed, but once it's in the public domain it would be wrong for TW to not report on it!

I'd seen it reported

I'd seen it reported internally this morning, but I added my $0.02 to the email where it was reported.

They did a post about it on

And I take my hat off to G

And I take my hat off to G on this. Quick action!

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.