Gmail users were threatened yesterday, when a big security hole was detected in the Google API. When users visited a certain blog, the website harvested their email addresses and sent out emails to them.
The blog sent out emails saying that the user should visit the embedded link and pass it on to others. It even says that the user has received this message because he/she had visited it before. You can see a screencap of the email below.
In response, Google resolved the issue in a flash and had this to say “We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to firstname.lastname@example.org.”
While the exploit isn’t particularly dangerous, it is something that a lot of people would want to have on their sites. Getting users email addresses as well as knowing who is visiting your site is extremely valuable information.