I just saw a tweet that make me want to write this post and publish it immediately!
There is a serious flaw in Google Gmail service, i believe many of you readers are using that service and probably having a tab open in your browser.
@wenyunchao tweeted a video demonstrated that how the hack work:
The video is in Chinese, but i will briefly explain whats going on.
To check if your account already been infected, go to your gmail account setting, click on the Account tab, and at the Grant access to your account section, check if there is any entry that you are not familiar with. If there is any, please click DELETE immediately.
How the hack work is by using a URL that had been masked, and an email to trick you to click the link.
The hack was demonstrated on Firefox 4.0 and the linked page will load a flash file that will then using the flash Redirect technology to execute a URL parameter.
After you are infected, the hacker will then have access to your account without the need to have your account password.
Im not sure if this hack had been used in places other than China, but apparently, quite a lot of users from China are tricked to click the link due to the email hack link is masked to be the popular weibo (microblogging service) in china.
To prevent this, as usual, DO NOT CLICK any link from any email. Copy and paste. And some suggest that you open the link in a completely different browser.
And also check your gmail setting frequently. Check for unauthorized access and check who you grant the permission to access your inbox.
Till now, there is no report if the hack will work in Google Chrome since chrome suppose to have the sandbox to protect the users, but since this is related to flash, its completely different story.
And many believe this is a flaw by Google, and hopefully Google will patch this and give some sort of notification to the users when this type of important setting had changed.
Until then, Be aware and take care.
Disclaimer, Im no security expert, I write this post just to raise awareness. The information given above may be incorrect. If you found any mistake or flaw in the blog post above, please let me know in the comment, I will try to correct it.