Google has fixed a flaw in Google Mail after the problem was disclosed by a blogger, the company said on Thursday.
The flaw could allow JavaScript code to run when viewing a message in Gmail, potentially allowing malicious code to be used by an attacker to compromise a Gmail account, according to a blogger who calls himself Anthony.
The blogger, who claims to be a 14-year-old student, found the flaw when sending code from his Yahoo Web mail account to his Gmail account, he wrote on Wednesday. The blog is hosted by Google's Blogger service.
Google fixed the flaw "very shortly after the initial blog post went up," it said. "We learned of a minor security flaw in Gmail a little while ago and worked quickly to fix the problem, which has now been resolved," the search firm said.
Because the vulnerability was fixed quickly, it likely never was exploited in any attacks, according to Google. Still, Google would have preferred to have been alerted to the flaw privately, instead of via a public blog.
"We encourage all vulnerability reporters to follow responsible disclosure practices and notify vendors first before making the vulnerability public," the representative said.
Flaws in online services are found regularly. Last December, Google fixed a security hole in the mechanism it uses to generate error pages for forbidden redirects and pages that don't exist on the Google Web site. The flaw opened the door to phishing scams, account hijacks and other attacks.
Similar flaws have been discovered and fixed in other parts of Google's Web site, as well as in Microsoft's Xbox 360 Web site and Yahoo's Web-based email service.
Story URL: http://news.zdnet.co.uk/security/0,1000000189,39255511,00.htmCopyright © 1995-2008 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.