Google confirmed that it has quietly fixed a flaw in its Gmail service that could have allowed attackers to gain complete control of other users' accounts.
Last month the problem was reported to Google by members of the hacker site Elhacker.net, and was fixed on Oct. 18 according to Google, though without any notification to the public.
Elhacker.net has now decided to publish details of the process for exploiting the bug. "OK, it's a beta version, and they don't have to report anything," the site said in an advisory. "But if they would have recognized it and published a thank you note, this information wouldn't have been published."
Besides publishing the information on Elhacker, the site said the flaw had been demonstrated to the editors of Spanish IT security magazine Seguridad0.
Google downplayed the seriousness of the flaw, saying it could only be exploited if a user provided their authentication token to the attacker, meaning there was effectively no risk of an attack. The authentication token is a string that appears in the browser's address bar after a user logs in, and according to Google it is protected by encryption.
"We looked into this issue and learned that it can only occur if a user knowingly provides their authentication token," said Google spokeswoman Sonya Boralv. "Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues in the future."
Last month Google said it had fixed a cross-site scripting flaw that could have allowed a remote attacker to take over Google accounts or fake Google content in order to carry out scams, according to Finjan, which discovered the flaw.