Gmail Vulnerability Reported

    July 20, 2004

A vulnerability in Google’s Gmail may give remote users access to Gmail user information. The culprit is the Gmail CheckAvailability script. Remote users can apply the ‘/accounts/CheckAvailability’ script repeatedly until the system returns another user’s information.

The only information that seems to be revealed are the user’s first and last name and desired Gmail account. Also, in order to access this information, the remote user must have a valid Gmail invite. While this may not be as much of a security caution as, say, revealing credit card information, it still causes a worry for users wishing to remain anonymous.

These warnings come from the Security Tracker alert, and although sources say Google has been notified, apparently the problem went unresolved for weeks.

While this may cause some possible embarrassment for Google, it’s important to remember that Gmail is still in the beta testing phase.

Brittany Thompson is an administrator for and contributes to the Insider Reports with her regular articles and interviews.