###

###

Is it possible for someone to create a malicious filter without having access to your Gmail username and password? No, however, they can force you to create the filter without your knowledge.

The blogosphere is buzzing about a Gmail Security Flaw that has caused some people to lose their domain names registered through GoDaddy. 

To understand how this exploit works let me first explain how I would carry it out (if I were a blackhat). Then we can move on and explain the exploit in detail. Let’s use a current example and assume that I was trying to steal MakeUseOf.com and I already knew it was registered by GoDaddy. Let’s also assume that I knew the owner’s Gmail address. I would want to create a filter like the one in the image above, where all email sent from GoDaddy Support was automatically deleted and forwarded to my email address.

Once the filter was setup I would simply head on over to GoDaddy’s Customer Number Retrieval page and enter the following info:

Once I press continue an email is sent to the domain owner’s email address but since I’ve setup a filter he never sees it in his inbox. Instead, it is sent to the trash and forwarded to my email address. With the GoDaddy Account Number I can now proceed to the GoDaddy Password Retrieval page:

Once again I simply press continue and an email containing an Authorization Code is sent the the owner’s email address but the filter deletes it immediately and forwards it on to me. I now have the ability to take over this person’s GoDaddy account and transfer MakeUseOf.com or any domain within that account to my registrar.
(more…)

Prospekts

Glass of Water

Life in Technicolor ii

Checkout the release details on Coldplay.com