Adrian ‘pagvac’ Pastor, a security researcher with GNUCitizen.org, on Friday posted proof-of-concept code that can inject a third-party page — a fake login page in Pastor’s example — while the user’s browser address bar still displays the Google domain. This could dupe the user into entering login details.
"The beauty of frame injection attacks is that the attacker is able to impersonate a trusted entity without needing to bypass XSS/HTML filters or even break into the target server," Pastor explained on the GNUCitizen site.
In a related blog post on Friday, security researcher Aviv Raff explained that Google is vulnerable to "a cross-domain Web-application sharing security design flaw."
And According to the news this flaw has been seen since April and Google is not yet taking any action.
"Today, after not getting any further response from the Google security team about this issue, and after Adrian published his proof-of-concept, I’ve decided to reveal this information in a hope that this security design flaw will be fixed by Google as soon as possible," said Raff.
In reference to the proof-of-concept, a Google spokesperson said, "We’re aware of the potential for this kind of behavior when services are hosted across multiple domains, and we take steps to restrict it where we believe it may have security consequences."
Well Google has to explain this one on their official site, so that their E-mail user will feel comfortable on using their Free E-mail. And Did you know that E-mails can be tracked ?. So better keep a hard copy or printed copy of those E-mails that needs protection such as username and passwords that still resides in your mailbox. Better transfer it to your PC for safe keeping purpose. Better to that or be sorry later on. What if they hack our AdSense Earnings ? So Be Careful .