Hackers have discovered a new vulnerability in the email provider’s Web API, which could allow them to access sensitive data stored on the company’s servers.
The exploit, dubbed “vulnerability-19” in the blog post, is still being actively investigated, but researchers believe it could allow a remote attacker to access and execute arbitrary code on a vulnerable Web server.
The vulnerability is described in detail in the advisory, which was published on Thursday by a vulnerability research firm called Kaspersky Lab.
“The vulnerability allows a remote user to obtain sensitive information from an exposed Web server, including passwords and other sensitive information stored on a Web server,” the advisory says.
“The attacker can then use the information to remotely execute arbitrary commands on a remote system.”
Kaspersky Labs said it had found the vulnerability in Google Chrome.
Google declined to comment.
The vulnerability comes at a time when many major Web services are being upgraded to address a wide variety of security issues that have plagued users for years.
The latest update, version 54 of the browser, adds two new security features to the Web API: a “security exception” and a “secure browsing” feature.
“As with any new security vulnerability, it is important to keep an eye out for it and take appropriate action to mitigate the impact on your business,” the company said.
“This issue affects all of the major Web browsers, including Internet Explorer, Firefox, Chrome, Safari, Opera, and Internet Explorer Mobile.
It is also present in the latest Firefox version.”
The flaw, which affects Chrome, Firefox and Internet and Web browser versions, has been reported to Kasperski Lab, according to the advisory.
“This vulnerability is not exploitable in any browser other than Chrome,” the blog says.
Kasperski Labs said its research showed that “vulnerabilities affecting the WebAPI can be exploited remotely on an existing Web server and may be exploited by the attacker to gain access to sensitive information, including password hashes and other information stored in the WebServer.”
Klausen says the vulnerability was discovered by a team of researchers from the German company Kasperske, who analyzed the Web Server API and discovered that a remote “authentication” attack could be used to gain control over a vulnerable web server.
“We have been working on this issue for over a year and are working on a solution to protect users,” he said.
“I hope this will serve as a wakeup call to Web services and to users that this kind of vulnerability is possible and has been discovered.”
Kasperic said the flaw is relatively small and could be easily mitigated by only updating to a newer version of the Web APIs, or by using “secure login” for web browsers, as is recommended by Mozilla.
In the meantime, it advised Web users to upgrade to a version of Web APIs that has “more features” such as “security exceptions,” “secure authentication,” “sandboxes,” “automatically encrypting your session after you close the browser” and “better performance.”