My Gmail got hacked

I discovered in December, that my Gmail accounts (two of them) had been hacked. All mails sent to those accounts were actually forwarded to another (the hacker’s) email account. I only realized this after a few weeks or so, because emails in those accounts are normally redirected to my another email.

As always, there’s something to be learned here. I suspect the accounts got hacked, because I was logged in on those accounts in a browser tab, while browsing other web sites in another tab. This led them vulnerable to XSS, or Cross Site Scripting. Some malicious web site had a script, that automatically upon my entering tried to post form data to the Gmail account settings page, and make the necessary changes. There’s documented attacks on the large, so this is a serious problem.

I suspect Gmail and every other web based email is always going to be vulnerable to them no matter what they do. New vulnerabilities and exploits on them are constantly discovered. When they are patched, new ones appear later. It’s a cat-and-mouse game. That’s something to think about for everyone, who (like me) use Gmail for work and have sensitive information on them.

How to limit your exposure then? One solution is to logout immediately after you finished reading your emails and continue to browse other web sites. This is not always feasible, and sometimes you just forget it.

I came up with another solution for this problem. Dedicate a browser for email access only. In case of Gmail, you can take for example Chrome browser and use it to only access Gmail/Hotmail/your-email-of-choice, thereby substantially limiting your exposure to XSS attacks. Use something else, like Firefox, for day to day browsing.