Google Friend Connect Exploit Allows Users To Harvest Emails

TechCrunch is reporting that an exploit in Google Friend Connect is allowing users to harvest email addresses for logged in users when you visit a website. This exploit was harvested when a user visited guntada.blogspot.com which is now blocked by Google.

According to TechCrunch this happened when you were logged in to your Gmail or Google account. However, only your email address was harvested so this is not only a big security hole but also a big privacy breach.

Source: medium.com

Once you visited the said site, you would receive an email to your logged in address as shown above. Scary right. Google is already fixing it as we speak, we will update this post once we receive an update from Google.

Update: Google Spokesperson Lily Lin sent us the following statement:

We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to [email protected].