Security researcher Petko Petkov has revealed a cross-site request forgery vulnerability in Gmail that makes it possible for a malicious web site to surreptitiously add a filter to a user's Gmail account that forwards e-mail to a third-party address. Petkov's proof-of-concept exploit for this vulnerability, which has been independently verified but not publicly released, uses a multipart/form-data POST to send instructions to Gmail's internal API. The vulnerability can only be exploited when the user is currently logged in to the Gmail service.

This is the second major Google security vulnerability to be revealed this week. On Monday, security researcher Fernando Bedford provided a proof-of-concept exploit for a Google cross-site scripting vulnerability in Google's Blogspot polls API that facilitated e-mail hijacking and address book sniffing. That vulnerability was fixed by Google shortly after it was reported, but it is presently unclear whether or not the vulnerability discovered by Petkov has been fixed yet.

Petkov has also recently disclosed serious vulnerabilities in Adobe's PDF reader and in Quicktime.

In a blog entry about the latest Gmail vulnerability, Petkov points out that web-based cross-site scripting attacks can potentially pose a more serious threat to users than conventional viruses. "[V]irtualized browsers will never protect you from these types of attacks. In an age where all the data is in the cloud, it makes no sense for the attackers to go after your box," wrote Petkov. "[I]t is a lot simpler to install one of these persistent backdoor/spyware filters. game over! they don'??t own your box, but they have you, which is a lot better."

Many companies are rapidly shifting their applications from the desktop to the web. Unfortunately, the security implications of this transition are not always fully considered. Widely used Ajax web application development techniques can expose web services to the risk of being compromised. Security vulnerabilities like the one revealed by Petkov add fuel to the debate that is presently raging between privacy advocates and companies that collect and store a lot of personal information on the Internet.

Google has not responded to the situation by press time.