Why you should always log out off Gmail

Martin Brinkmann
Dec 27, 2007
Updated • Mar 22, 2014
Email, Gmail, Security

Let me tell you a story. A story of a person who has an Gmail account and a domain registered to his name.That person checks Gmail regularly for new emails and uses the same browser to visit other websites and services as well.

It is convenient to stay signed in as you do not need to type your password or email address anymore when you go back to Gmail to check for new mail. Maybe Gmail is open all the time in another tab for even further comfort.

While on vacation in India the person received some disturbing notifications about his domain from some of his friends. The website was not loading anymore but redirecting all visitors to a new website that seemingly had no connection with the original domain whatsoever.

He investigated the matter and discovered that he was no longer the owner of the domain name which happened to be his name dot com. First he thought that the domain might have expired but soon thereafter he discovered that a Gmail hack had been used to change the owner of the domain name.

It works like this. If you stay logged in at Gmail and visit a prepared website afterwards your Gmail filter list can be altered. In this case all mails from the domain provider was forwarded to another mail account and deleted on Gmail afterwards so that the owner of the account would not receive information about it or stumble upon it on the site.

The new password request was forwarded to the hacker who was then able to initiate the domain transfer at the webhoster.

Since all mails regarding the transfer were immediately redirected and deleted the victim had no idea what was going on. The only possibility would be if he would have logged into the webhosters website and take a look at the tickets that had been created to transfer the domain.

You can read the long version on David Arey's Website. This hole has been fixed apparently but filters that have been set before can still be in place. If you use Gmail you should check your filters asap and make sure that they have not been altered in any way.

Since this is probably not the last security hole you should make sure that you always log off when you are finished.

Another possibility would be to use an email program like Thunderbird instead.

The same goes for accessing accounts on local computer systems. If you need to sign in, you better make sure that the information are not stored by the web browser and that you sign out when you are finished and clear the cache and cookies as well to be on the safe side.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Jay said on March 17, 2008 at 8:41 am

    Ghacks – this is a pretty silly article. For starters, you got the title wrong – It should have been “Filters in gmail can screw your life!”. Why wouldn’t anyone logff their email in a cybercafe in India / Thailand or whateva!? Logging off your email is an ettiqutte on the web and anyone who doesn’t is always vulnerable.

  2. kurt wismer said on December 28, 2007 at 12:18 am

    a) to those who think this is a hoax, it is not… nor is the problem new, it’s cropped up at least 3 times that i know of and i wrote about it at the beginning of 2007… do a search for csrf and gmail and you should find plenty on it (csrf is cross site request forgery)…
    b) logging out of gmail may not be sufficient… google operates a single sign-on system such that if you’re logged into one of their services you’re logged into all of them… if gmail is the only google service you use then logging out of gmail would be sufficient, but if you use other services like google calendar, google docs, google reader, etc – then logging into any one of them will log you back into gmail and expose you to the risk of having your gmail account hijacked…

  3. Rico said on December 27, 2007 at 11:44 pm

    i’d recommend using GMail’s POP3 or IMAP access via your favorite email client. Personally, i’ve never stayed logged into GMail’s web interface because i don’t like Google cataloging my search history, among other things.

  4. Ace_NoOne said on December 27, 2007 at 10:48 pm

    If you must use a web-based reader (I sill prefer a client like Thunderbird), why not use WebRunner/Prism, specifically and exclusively for that particular web app?

  5. JC said on December 27, 2007 at 9:22 pm

    boy that David Arey story is a nightmare… hadn’t heard anything about it until now. It’s a tough situation, you want a non domain e-mail contact for registrar’s or domain hosts if you need a contact if your domain/server goes down and you only own one server, but those other options are generally web accessible.

  6. Martin said on December 27, 2007 at 8:30 pm

    Tchelo I would be very careful with those assumptions. Did you check out this link ? http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/

    Maybe it’s time for an apology..

  7. Tchelo said on December 27, 2007 at 8:19 pm

    I used to be a frequent reader of gHacks.net, but this is too much BS for me to keep reading. Come on! Gmail Filters being hacked?! Yeah, right…
    You should really confirm your stories before you post them. Oh please!

  8. Thilak said on December 27, 2007 at 8:19 pm

    Yet another reason to use Thunderbird or Outlook to fetch your emails from Gmail!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.