GMail vulnerability on Atom feed?



I don’t know about this, and will be curious to see what the answer is…. barrapunto.com had the link to a post from a Gmail user who notes… Gmail has the capability to have a feed of your new messages in Atom format. (We’re talking rss feeds here.) That’s all well and good. He went to bloglines though and tried to setup viewing of his feed…. and saw tons of email – NOT HIS.


… and also not that of ANYONE that had previously used his PC.

It looks as though Google uses the same URL for someone to access it’s feed. https://gmail.google.com/gmail/feed/atom

You do have to enter a username and password, but cookies are used to cache that information. For this reason he didn’t expect it to work through an online page like bloglines, but it seems it probably had cached either one of two things…. 1) SOMEONE elses login information and when he signed up for the feed it showed him another persons inbox. or 2) it simply cached the feed after the first user checked their mail.

If it’s the first case, it’s possibly a Google security bug. If it’s the 2nd, then it’s something bloglines needs to handle (caching of feeds across accounts – some feeds shouldn’t be cached.)

   Send article as PDF   

Similar Posts