Google Apps Script API flaw allowed attacker to impersonate Google

Details about a recently discovered and exploited vulnerability that allowed a 21-year-old Armenian hacker to harvest GMail addresses and send to their owners a message coming from a legitimate Google e-mail address are still unknown, but the vulnerability has been patched.

According to Softpedia, the attack has been perpetrated during the weekend, but it wasn’t malicious in nature. The hacker just wanted to bring the vulnerability to the public’s attention, because he says that he has tried to contact Google and disclose all the details, but they won’t answer his e-mails.

The attack involved a specially crafted Blogspot page which allowed the hacker to harvest the e-mail address of every user that was logged into his or hers GMail/Google account. Then, he would send the following e-mail to the user:

It seems that the hacker really just wanted to get Google’s attention, since this flaw seems like one that can be easily and successfully taken advantage by scammers and phishers because the message headers would withstand scrutiny and prove that the e-mail was actually sent by Google.

“We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account,” says in a statement issued by Google. “We immediately removed the site that demonstrated this issue, and disabled the functionality soon after.”

But the strangest thing about this whole situation is the alleged Google’s unresponsiveness to the hacker’s e-mails, particularly because Google has started a bounty program inviting researchers to find vulnerabilities in its Web services and get paid for it.