Adobe confirmed that a zero-day universal cross-site scripting flaw in all versions of Flash was used to compromise Gmail accounts. According to the reports it seems like this exploit was used by the creation of an especially crafted Flash file (.swf) which exploited a vulnerability in the Flash file in order to inject forwarding address into the Gmail account setting. This injection allowed the attacker to view all emails sent to the victim.
According to the reports this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.
According to Adobe:
“Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android”
“Adobe recommends all users of Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris upgrade to the newest version 10.3.181.22 (10.3.181.23 for ActiveX) by downloading it from the Adobe Flash Player Download Center. Windows users and users of Adobe Flash Player 10.3.181.16 for Macintosh can install the update via the auto-update mechanism within the product when prompted.
Users of Adobe Flash Player 10.3.185.22 and earlier for Android can update to Adobe Flash Player 10.3.185.23 by browsing to the Android Marketplace on an Android phone.”
While it is a client side vulnerability, from an application security perspective it is recommended that critical changes in the user setting are accompanied with a user challenge response before being applied (for example, the CAPCHA challenge). In addition, you can monitor application activity and detect a change in the way it is being used, In this case, if we know what is the “normal” rate of adding forwarding addresses to Gmail accounts we can detect a change in this rate when the attack is being executed, and react by mitigating the attack.