"Petko Petkov of "ethical hacking" group GNUCitizen has developed a proof-of-concept program to steal contacts and incoming e-mails from Google Gmail users.

"This can be used to forward all your incoming e-mail," Pure Hacking security researcher Chris Gatford said. "It's just a proof of concept at the moment, but what they're demonstrating is the potential to use this vulnerability for malicious purposes."

According to Gatford, attackers could compromise a Gmail account--using a cross-site scripting vulnerability--if the victim is logged in and clicks on a malicious link. From that moment, the attacker can take over the session cookies for Gmail and subsequently forward all the account's messages to a POP account.

"If someone picks up on this before Google fixes it--or if someone knew of the vulnerability before this guy published it--this could be very damaging to Gmail users," he added.

The problem is potentially compounded by Google's policy of retaining cookies for two years. "

Article Link: http://news.zdnet.com/2100-1009_22-6210353.html