In an alarming new angle on yesterday’s news of Gmail hacks that originated in China, here’s a video showing a different approach to invading a Gmail inbox: a malicious Flash file that exploits a vulnerability in Adobe Flash.
It shows that your Gmail is not just at risk from ‘phishing’ sites that try to trick you into revealing your Gmail password, but also from a specially-crafted Flash file that can inject a spying forwarding address into your Gmail account settings.
With this method, the snoop can read all your emails, conveniently forwarded to him/her (in this instance, in China), without your knowing. Indeed, this hack doesn’t even steal (or need) your password.
So, how does it work? The screencast video, below, is narrated in Chinese, so here’s my rundown on how it works. It’s pretty simple. First, you get a dodgy email which encourages you to click a certain link. In this instance, it appears to be someone’s personal blog that’s hosted on Sina’s blog platform. Upon clicking it, the link actually heads to a dubious site which hosts just one Flash file. It says “loading…”, but nothing ever loads. (A cursory look in the ‘Properties’ reveals the Flash file’s name to be f.swf). Then, the video’s narrator heads back to his Gmail account settings – which was open in the same browser while he visited the malicious site – to reveal that a forwarding address has been added to his settings. Pretty scary.
It looks like another innocuous Gmail address – but that address is getting all your new mail delivered to it, allowing it unfettered snooping on your mail. Even if you were to change your email password, that forwarding address would still be in your account settings, receiving all your Gmail.
(here’s the direct YouTube link, in case the user suddenly disables embedding)
You might recall that Adobe was a serious ‘weak link’ in the initial Google hack controversy in January 2010 that prompted Google to shutter Google.cn and redirect all mainland China users to its Hong Kong-based search engine. Last time it was Reader; this time it’s Flash. We look forward to hearing from Adobe again, now it’s clear that it’s again culpable in these new attacks.