In which I pose a question about spam.
I was looking at my email, when a message from google appeared on the top of the screen. This proclaimed to the world (well, to me...) that if I went into my settings, I could choose a theme for Gmail. I've gone Ninja (I liked the font mainly!)
For more, see the Gmail Blog on the subject.
Google Mail's servers have a security flaw which could allow spammers to send unlimited amounts of spam. Given that most other providers trust gmail, this means that lots of spam could get through due to google being whitelisted. I don't *think* it affects the security of arbitrary accounts on gmail, so for individual users, no action is needed.
Whilst whitelisting for email providers is generally a good thing, it does highlight that whitelisted emails do need to be verified periodically as even trusted sources can have problems.
As I write, there is no comment from the gmail blog. The last post they made was about how to search emails.
The attack appears to be 'man in the middle' and so relies upon an interception between you and your account (or indeed, for you to be the bad guy to send spam). For most people this will mean that their computer has been taken over by a virus, or their ISP is dodgy (unlikely if the ISP wants to stay in business... but then there is phorm). However, a man in the middle attack could be more likely in a setting like an internet café. In other words, the attacker needs to get in between the user and gmail.
It seems the most likely attack would be for the spammer to open a gmail account, use it directly to spam, and then move on if it got blocked.
The details aren't fully published, and I'm a little out of my comfort zone, so I'm speculating a bit - however, I'd be surprised if this wasn't patched quickly.
The firefox gmail plugin has been working well. Too well... it's been wonderful. The auto login no longer works. Gmail have implemented a 'copy the graphic into the box' type of login which has rendered the plugin impotent.
Nasty - and incredibly unfriendly for blind people.
It's a pain really, I think they've done it to defeat 'pop goes the gmail' and such, but the firefox gmail plugin did not remove any ad revenue from gmail, as one still had to use the site to read the email.
Fortunately the plugin uses the gmail persistant cookies, so a manual login every fortnight is needed, a pain, but not insurmountable.