Last week, it was reported that approximately 60 GMail users had all of their email accidentally deleted (Dena and I weren’t affected, thank goodness). Then no more than 24 hours ago, a vulnerability was discovered in that a malicious website can swipe your email address from a cookie if you’re logged into GMail at the same time; making it easy for spammers to nab your email address, should you dare visit their nefarious site. Then as of a few hours ago, users’ GMail contact lists could be retrieved by malicious websites via the JSON API.
Now I don’t want to comment on where Google is in the right or wrong and how their luck has taken a down-turn, since other bloggers have and will continue to do so. Although, I am a bit perplexed as to why Google didn’t have backups for those deleted emails. I’ve read that Google has rolled their own file system and that it’s apparently amazing, but I’m not sure any file system is rock solid enough to forgo disaster recovery plans for mission-critical applications and data.
At any rate, what I’d like to focus on are the two vulnerabilities, both of which have been fixed. Since Gmail is a web application, any update that Google makes to Gmail is automatically available to all users. Nobody has to go to the store to purchase new software, or download any patches or service packs. All users are using the latest version, complete with fixes for known problems. Also, it should be noted that the vulnerabilities were corrected in less than 24 hours since they were publicly announced.
