People who use Google's free e-mail service, Gmail, may be getting more than they bargained for, according to a story in today's edition of the Windows Secrets Newsletter. Contributing editor Scott Spanbauer reports that a vulnerability in Gmail that was publicly disclosed last month remains unpatched, leaving users' contact lists, photos, and business or financial information vulnerable to attack.

The Gmail flaw belongs to a class of attacks known as cross-site request forgery (CSRF). The problem was first privately reported to Google in July 2007, according to security firm Internet Security Auditors (ISA). Details of the CSRF technique were publicly disclosed by security researchers in March 2009 due to frustration, they say, with Google's lack of corrective steps on its server.

CSRF attacks use security holes in cookies, password requests, and other interactive Web components to intercept communications between browsers and a Web site's server. Gmail users can lose private data to hackers or find that their passwords have been changed, giving an intruder control of any other Google services the users customarily sign in to by using the same password, according to a proof of concept by ISA.

"CSRF attacks are not new," states Brian Livingston, editorial director of Windows Secrets. "YouTube, Netflix, and even NYTimes.com have found similar vulnerabilities. The difference is that those companies stepped up and plugged the holes while Google is placing the burden on users to fix the problem themselves."

The biggest problem, according to Livingston, is that the usual things an end user might do to safeguard Gmail won't work. Some bloggers, the Windows Secrets article reports, have stated that the CSRF hole can be closed if users set Gmail to use "https" encrypted communications instead of the ordinary "http" method. But this is ineffective, the article says, quoting an expert from ISA who emphasizes that only Google can correct the problem on its server.

The complete article and tips for securing Gmail, Hotmail, and Yahoo Mail can be found at http://WindowsSecrets.com/2009/04/23/ts.

The Seattle-based WindowsSecrets.com publishes a free, weekly e-mail newsletter with over 400,000 subscribers. A longer, paid version is available for a contribution determined by the subscriber. Published since 2003, the newsletter reveals tips and tricks to get the most out of Microsoft Windows. Employing six full-time staff members, WindowsSecrets.com publishes the work of several contributing editors, including Fred Langa, Woody Leonhard, Ryan Russell, and Susan Bradley. For more information, visit www.WindowsSecrets.com.