Google Patches Gmail Spammer Bug

Google has quickly fixed a flaw that reportedly exposed the contact lists of Gmail users to spammers, giving them, at least in theory, a new source of e-mail addresses for hawking their wares.

When users access Gmail, Google's Web-based e-mail service, their contact lists are stored in a JavaScript file on their hard drives. Before the flaw was patched, a malicious Web site could have read that file, extracting the list of contacts, then sending that data to spammers.

Engadget, a well-known consumer electronics site, tested and confirmed the Gmail flaw, but no reports have surfaced of Gmail users actually being affected by it.

Quick Fix

Gmail users worried about the flaw had two ways to fix it themselves, but neither was perfect.

First, users could simply turn off JavaScript in their Web browsers, a move that would protect them at the expense of preventing key features on many Web sites from working. And second, they could log out of Gmail before surfing the Web.

But according to several reports, Google fixed the problem not long after it was first discovered, sparing users from the burden of having to apply workarounds of their own design.

Not the Last

This is not the first time a Web-based e-mail service has been found to have flaws. In October 2005, security firm SEC-Consult claimed to have discovered more than five problems with Yahoo Mail, all of which Yahoo has patched, according to the firm's Web site.

In June 2006, Yahoo was again hit when Websense, makers of scanning tools that ferret out phishing, pharming, and other threats, reported a worm that harvested the e-mail address from every e-mail in a Yahoo Mail inbox. The worm then sent the harvested e-mails to spammers, and redirected the user's Web browser to a site laden with unwanted advertisements.

Microsoft's Hotmail also has suffered from glitches, as have nearly all Web-based e-mail systems since they first came to fame with the Web rush of the late 1990s.

yahoo.com/