Security researcher Petko Petkov has revealed a cross-site request forgery vulnerability in Gmail that makes it possible for a malicious web site to surreptitiously add a filter to a user"s Gmail account that forwards e-mail to a third-party address.
Petkov"s proof-of-concept exploit for this vulnerability, which has been independently verified but not publicly released, uses a multipart/form-data POST to send instructions to Gmail"s internal API. The vulnerability can only be exploited when the user is currently logged in to the Gmail service.
This is the second major Google security vulnerability to be revealed this week. On Monday, security researcher Fernando Bedford provided a proof-of-concept exploit for a Google cross-site scripting vulnerability in Google"s Blogspot polls API that facilitated e-mail hijacking and address book sniffing. That vulnerability was fixed by Google shortly after it was reported, but it is presently unclear whether or not the vulnerability discovered by Petkov has been fixed yet.