[Full-disclosure] Forwarding message vulnerability on Google Groups
xploitable at gmail.com
Fri May 16 00:46:43 BST 2008
If joebloggs at google.com is banned from a Google Group and
xploitable at gmail.com is registered with that group,
joebloggs at google.com can subscribe to a mailing list such as
Full-Disclosure and start forwarding all messages xploitable at gmail.com
sends to that mailing list if xploitable at gmail.com is registered to
it, and directly post them to the Google Group joebloggs at google.com is
This is probably done by the banned joebloggs at google.com setting up a
filter on Gmail Settings > Filter > Matches:
from:(xploitable at gmail.com)
Do this: Forward to (n3td3v at googlegroups.com).
Severity of this issue is obviously critical and you should switch the
victim's registered (xploitable at gmail.com) e-mail address on a Google
Group to "moderate" as a work around, until Google Groups fixes this
Google Inc. (GOOG) was notified simultaneously as this security
advisory was published to the wild.
All the best,
Full-Disclosure is hosted and sponsored by Secunia.