diTii.com Digital News Hub

Sign up with your email address to be the first to know about latest news and more.

I agree to have my personal information transfered to MailChimp (more information)


Google Fixes Google Apps Script API ‘Email Harvesting’ Exploit

Vahe G. created a site called http://guntada.blogspot.com displaying the vulnerability in the Google Apps scritpt, the site when visited — if you’re already logged into a Google account, would harvest your Google email. And proves it by emailing you immediately.

And it even works in “incognito” mode (aka porn mode).

This isn’t a particularly dangerous exploit, but it sure is something a lot of people would love to have on their own sites. The ability to harvest emails from anyone already signed into Google, not to mention just see exactly who’s visiting the site, is extremely valuable. A comment thread (see pic) also mentioned a related issue with App Engine a month ago.

Google App Engine Exploit

The site is down now, here’s what it looked:

Google responded:

“We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to [email protected]


Share This Story, Choose Your Platform!

Get Latest News

Subscribe to Digital News Hub

Get our daily newsletter about the latest news in the industry.
First Name
Last Name
Email address
Secure and Spam free...