GMail Vulnerable To Contact List Hijacking

Anonymous Coward writes "By simply logging in to GMail and visiting a website, a malicious website can steal your contact list, and all their details. The problem occurs because Google stores the contact list data in a Javascript file. So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7. IE6 was un-tested as of now."

Which is the problem?

[Zaphod-AVA]

So is this a Firefox, Gmail, or javascript vulnerability?

Re:Which is the problem?

[Stalus]

Works fine in IE6. TFA states "I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three." so I'm not sure where the poster got the idea that it was Firefox only.

Re:Which is the problem?

[WinKing]

If there is no problem for other browsers then obviously, there is something that FF needs to look into the thing.
Now a days after releasing of FF I have heard lots of issues in between GG and FF. You may have seen the latest update for firefox 2.0 for the fixing of gMail. Wondering what could be the reasons.

Re:Which is the problem?

[Bogtha]

GMail. JSON should not be used for sensitive data because any old website can reference it simply by including it as an external script. The Google developers should not have used JSON for this information, they did, and that is why this information leak exists. There are ways to protect JSON from this (e.g. nonces) but you have to actually add this security yourself, rather than relying on the browser's built-in cross-domain security like you could if you were using XML etc.

Re:Which is the problem?

[buro9]

It's a problem with web services that comes from an assumption that JavaScript cross-domain security is in place.

When you surface data via Xml web services, you can only call the web service on the domain that the JavaScript calling it originates from. So if you write your web services with AJAX in mind exclusively, then you have made the assumption that JavaScript is securing your data.

The problem is created at two points:
1) When you rely on cookies to perform the implicit authentication that reveals the data.
2) When you allow rendering of the data in JSON which bypasses JavaScript cross-domain security.

This can be solved by doing two things:
1) Make one of the parameters to a web service a security token that authenticates the request.
2) Make the security token time-sensitive (a canary) so that a compromised token does not work if sniffed and used later.

The security token should be gathered by authenticating the user according to a mechanism that the user controls. Think of the way that the Flickr API asks you to grant an application access to your data.

Anyhow, use the noscript extension in Firefox to ensure that your data is not compromised, as you will be able to choose to block the script from running, and in doing so prevent others from gaining access to your data.

The Internet Exporer alternative is to disable JavaScript, but few people ever do this because too few sites (especially Web2.0 sites) degrade gracefully when JavaScript is disabled.

Re:Which is the problem?

[klept]

To Stalus or anyone else on Slashdot. I have a couple of questions that I would deeply appreciate if they could be answered. Ok this latest hack on gmail. Is it only your contact list that they recieve. Is nothing else hacked into like your inbox, messeges sent, etc? If so, I will be lmaf. Many of my contacts are programmers, and they will not take this spam hack lying down. If anyone can track these bozos they will, and they know how to retaliate lol. Second, an earlier story had about 60 gmail account files completely deleted. Is this part of the same hack or problem? Or is it a seperate incident and as Google claimed a glitch that has been fixed? Perhaps when they corrected the "glitch" they created a "issue", like a vulnerability that caused this contact hack? Any enlightnment would be greatly appreciated. Thank you.

Re:Which is the problem?

[appavi]

Even with JSON it is possible to prevent these type of leaks. For the requests that contains sensitive data, send data only if the HTTP request method is POST. If it is GET, then simply give a 403. Third party websites can get javascript file/data from Google only through GET(using script tags, not with XMLHttpRequest). They can't make POST request because they will be prevented by same domain policy. Google applications can retrieve the data through POST method using XMLHttpRequest because they will be in the same domain.

Re:Which is the problem?

Uhhh... you should be thanking these "bozos" for releasing the exploit so it can be fixed, tough-programmer-guy. If your programmer friends are such l337 d00ds then maybe they'd find and fix some of these exploits themselves, instead of being blindly vulnerable until some "bozos" save their ass. BTW, what does being a programmer have to do with being able to "retaliate" against some obviously much smarter programmers? Gonna send them some code? Gonna do a double compile on their bitch asses?

Why dont you ask your l337 h@X0r buddies to just look at the code. Then you'd see how the vulnerability works, and what information it can retrieve. Though I dont know if the code will look right when they try to open it in VB.

Re:Which is the problem?

[Stalus]

Well, I can't answer some of that, but some notes:

1. The link provided by Slashdot no longer shows gmail contact list information - I assume Google already changed some of this, and hopefully the new method is more secure.
2. The top of the file had an AuthToken, and it's unclear to me how much additional information you could have gotten at using that, but the file itself only contained contact information, not message bodies.
3. An example entry had the following fields: Id, Name, Email, Affinity, Groups, Addressess, Phoness, Imss (yes, Google had extra s's). So, how much could be stolen depends on how much information you kept in the contact information. It could just be an e-mail, or could have also been an address, phone number, and IM information.

I would have pasted example snippets here, but Slashdot didn't like the brackets and other code-like characters.

Really, it seems like there are three different things you would worry about here. 1) Spammers can get people's e-mails. With the amount of spam already out there, I don't think I'd even notice if another spammer got my e-mail address. 2) People can tie your name to your address and phone number. There are so many ways that this information slips through the cracks already - mostly phonebooks - that the determined person could probably figure it out. 3) People can figure out who you communicate with and trust.

This third one seems like the bigger scare to me, and could be used for all sorts of social engineering attacks. Spam filters will accept e-mail from people on your contact list. People are more likely to open an attachment from someone on their contact list. People on your contact list are more likely to care about you, and you open your aunt Betty to various sorts of fraud regarding you.

Re:Which is the problem?

[klept]

thank you :)

Re:Which is the problem?

The No Script extension by default excludes *.google.com and will run scripts; same as *.microsoft.com and about:, chrome:, resource: and obviously the extensions homepage
Make sure to remove these and only ad the sites that you want / require.

Submitter has a problem with Firefox?

[CTho9305]

RTFA:
I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three.

Does the submitter have some agenda against Firefox?

Re:Submitter has a problem with Firefox?

[davidmcg]

Indeed the current article is a bit light on details but it does say it affects the three main browsers - time to expect the barrage of "I'm glad to have switched back to IE7" posts from others that have not RTFA.

The link to test out the vulnerability seems to be down.

Re:Submitter has a problem with Firefox?

[infradead]

Didn't work on Firefox when I tried it earlier today. Move along please ...

Re:Submitter has a problem with Firefox?

[islanduniverse]

I'm glad I've switched back to IE7!

Re:Submitter has a problem with Firefox?

[Tim+C]

It works fine in my install of FF 2.0.0.1; you have to be logged in to gmail for it to work. Despite what it says in the summary, it also works in IE7 - in fact, it'll work in any browser that

* supports cookies
* supports loading of resources from domains other than the one the currently-loaded page is hosted on
* supports accessing those resources

ie pretty much all (modern) browsers.

Re:Submitter has a problem with Firefox?

[MattPat]

To give the submitter the benefit of the doubt, perhaps he or she read the article as it only works on the third one.

Or, the submitter works for Microsoft and is therefore required to make IE look spotless, lest a chair come sailing from the other end of the room.

Re:Submitter has a problem with Firefox?

[MobileTatsu-NJG]

"Does the submitter have some agenda against Firefox?"

Nah, it was just a gag to get ppl to RTFA.

Re:Submitter has a problem with Firefox?

>Does the submitter have some agenda against Firefox?

Nah. More likely:

1. He wanted to see if the /. editors were paying attention. (Hahahahahaha... ahh. Yeah, like that needed testing.)

2. He wanted to make sure his submission was sensational enough for acceptance by /..

Re:Submitter has a problem with Firefox?

[thegamerformelyknown]

Oddly enough, it isn't working for me in Opera 9.10 in Linux, despite being logged in, and Opera (AFAIK) matches that criteria...

Re:Submitter has a problem with Firefox?

[Tim+C]

Strangely enough, it's no longer working for me in Firefox (2.0.0.1, WinXP); I think google may have fixed the problem. Whether it's a real fix or an obscuration I have no idea.

Re:Submitter has a problem with Firefox?

Does the submitter have some agenda against Firefox?

The submitter appears to have some agenda against English:

By simply logging in to GMail and visiting a website, a malicious website can steal your contact list ....

So, a malicious website simply logs into GMail and bad things happen? Submitter should keep his sentences under ten words until he learns how to construct a proper dependent clause.

Re:Submitter has a problem with Firefox?

Boy, am I ever glad I switched back to IE!! Firefox is so fucking lame, fuckers.

Phew!

[sorrill]

We are lucky it was not Microsoft's Hotmail!

Works in most any java-script browser

[wnknisely]

According to the reports on Digg this hack works in all modern browsers. The real fix is probably to stop storing the contact list in a local java-script based file. (Or to always be sure to log out of Google after visiting a google page.)

http://www.digg.com/programming/GMail_Hacked_Visit _ANY_Website_and_Your_Whole_Contact_List_Can_be_St olen

Re:Works in most any java-script browser

[Elentari]

Hopefully, one main difference between Digg and Slashdot is that the users here won't go and deliberately click the URL to watch their own account get hacked.

Re:Works in most any java-script browser

[MarkByers]

Actually it is not stored locally in Javascript. I assume that the information is stored in some sort of filesystem / database and converted to Javascript on the fly to ease integration with other applications. You can also get the same information as XML if you prefer:

http://docs.google.com/data/contacts

Re:Works in most any java-script browser

[Phil246]

Hrm, since the source requests the js file from googles servers, shouldnt it be possible to check the referrer to make sure its a google page?

Re:Works in most any java-script browser

[Sancho]

That's trusting the client to send correct data. It's laughably easy to spoof the referrer.

Re:Works in most any java-script browser

[thopkins]

Most users on Slashdot won't click any links, especially links for the articles on which they are about to comment. ;)

It's an information leak

[MarkByers]

http://docs.google.com/data/contacts?out=js&show=A LL&psort=Affinity&callback=google&max=99999

It can be exploit by writing a callback function in Javascript, that can do anything, and then passing it to the above link, which gives your function all the users contact info.

Re:It's an information leak

[whiteknight31]

Heres the code that the original site used. http://www-static.cc.gatech.edu/~achille/contacts- source.txt

Why do I bother with this site?

[Inda]

Slashdot says:

"So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7"

TFA says:

"I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three."

Got any jobs going? I could do nice armchair job at Slashdot. I'd be willing to work the full 3 hours a week.

Re:Why do I bother with this site?

[Headcase88]

I could do nice armchair job at Slashdot.

Not with that sentence structure. You only made one grammar error. You could never be a /. editor.

Re:Why do I bother with this site?

[jZnat]

Don't worry, they'll get the story straight in the dupe.

Re:Why do I bother with this site?

[Luminous]

Well, then, why DO you bother with this site?

Re:Why do I bother with this site?

[Shadowin]

Not with that sentence structure. You only made one grammar error. You could never be a /. editor.

Shouldn't that be "one grammatical error" or "one error in grammar?"

How does this work

[goombah99]

How can one page get access to another page's data? Javascript or not? Aren't pages that don't have a parent child hierarchy supposed to have no way to communicate (aside from same site cookies)? How does this work

Re:How does this work

[bberens]

I suspect it works like the following:

Google places a cookie on your browser which indicates you have authenticated to Google. The afflicted website makes the same exact ajax call Gmail does in order to download the contact information. Since your browser holds the appropriate cookie, Google happily obliges and hands your contacts information over to your browser. Google.com has no way of knowing that it was javascript from another site which initiated the request, the request is coming from your browser's xmlhttp object, just like every other ajax request. The exciting part is that this exploit should work for any website, not just Gmail. It's always important to click 'log out' or close your browser when leaving sites you've authenticated to. Especially sites with personal information like webmail, banks, etc.

Re:How does this work

[dolphinling]

No. Cross-domain xmlhttprequests are blocked by firefox at least, and I'd suspect by other browsers as well. The point is that you don't have to do a cross-domain xmlhttprequest here, since google conveniently stores it in a separate javascript file, and that is embeddable in other pages.

Re:How does this work

[TubeSteak]

Here's the super simple explanation

1. Gmail sets a cookie saying you're logged in
2. A [3rd party] javascript tells you to call Google's script
3. Google checks for the Gmail cookie
4. The cookie is valid
5. Google hands over the requested data to you

If [3rd party] wanted to keep your contact list, the javascript would pass it to a form and your computer would happily upload the list to [3rd party]'s server.

At no point does [3rd party] make any request to Google.

Thank goodness

[messner_007]

Thank goodness. I was beginning to think that no one cared about my contacts.

Re:Thank goodness

Damn, now everybody must know about my monthly chat sessions with Jaleel White on plotlines Sonic the Hedgehog should've taken but didn't.

Oh, it only steals e-mail addys? Crap.
Sorry J.

Conceptual problem

[JackHoffman]

Loading script files to exchange data with the server is a very common mechanism. It even has a name: JSON. It wouldn't surprise me to find that there are many more web applications which could be exploited in this way. This isn't a browser vulnerability or a simple bug. It is a design flaw of a widely used communication protocol.

Re:Conceptual problem

[sbben]

It is a design flaw of a widely used communication protocol. Hey, this sounds familiar. SQL injection anyone?

Re:Conceptual problem

[TubeSteak]

This isn't a browser vulnerability or a simple bug. It is a design flaw of a widely used communication protocol.

How do you fix it?

From what I understand, as long as the user has a valid cookie, the information is fair game... and I imagine that there are implementations that do not even bother with a cookie.

Maybe the question is: Can it be fixed?

Re:Conceptual problem

Maybe the question is: Can it be fixed?

Probably something along the lines of requiring a key to access the contact list.

Re:Conceptual problem

[JackHoffman]

The problem is that the user has the cookie because he's logged into GMail (in a different window or tab, or he forgot to log out). The cookie which is sent with the request for the script is from the domain of the web app that the script is part of, not from the attacking website. One way to deal with this type of vulnerability is to check the HTTP referrer header, but since many users disable the referrer (mostly for privacy reasons), such a check would either not protect these users or prevent them from using the application. In essence, the website requesting the information would have to send something with the request that a third party can't know and can't cause another entity to add to the request (like the cookie). This means that the programmer has to take an extra precaution beyond implementing the functionality in a robust fashion, hence my assumption that many applications are similarly vulnerable.

Re:Conceptual problem

[zataang]

Please don't jump to conclusions. As one of the comment above notes, cross-domain xmlHTTPRequests are anyway blocked by all the main browsers. The problem in this case is because of a particular way in which the data is stored by Gmail. Calling it a design flaw of JSON is stupid.

Re:Conceptual problem

[stevey]

There is a simple fix, rather than making a request to a remote site which tests only your logged in cookie it should instead send a "random" value with the request.

The way it works is:

• Google sends the a form to you with a hidden "auth string".
• When you make a request back you send the same auth-string/token with the request.
• If the login cookie is invalid then the request is denied.
• If the login cookie is valid and the auth-string was correct the results are sent back.
• If the auth-string was missing then you know the request was forged.

This is the difference between http://example.com/logout and http://example.com/logout/124rkjfldf for example - The former is insecure since example.net could include that link in an image source; whereas the latter example uses a token appended to the URL - if the submission doesn't have the correct token then it can be denied.

I wrote about this here, when I updated my site to work like this.

Re:Conceptual problem

[duncanthrax]

JSON is not the problem (the contact list could also be in XML or whatever other format), but the fact that Google hands out the contact list "script" based on cookie validation only. A simple referrer check should provide "good enough" security.

Re:Conceptual problem

[RvLeshrac]

This is a design flaw in Gmail because it affects all of the browsers involved, right? It doesn't just affect one of them?

Seriously, if this was an issue with all of the involved browsers, it would obviously be a flaw in Gmail. That's not the case.

Re:Conceptual problem

[JackHoffman]

Technically you're right: JSON is not limited to Javascript, even though the acronym means "JavaScript Object Notation". However, since JSON messages are by definition valid Javascript object definitions, it's not surprising that it's mostly used in the way GMail uses it: The page loads and executes scripts to move data from the server into the application on the client. This typical way of using JSON is prone to be exploited in the described fashion, unless the programmer has implemented additional security.

Re:Conceptual problem

contact list could also be in XML or whatever other format

Then it wouldn't be JSON (JavaScript Object Notation, not eXtensible Markup Language), and it wouldn't be exploitable in the described way because documents which come from different domains are inaccessible. You can't load slashdot.org into a frame on your page and read its contents, for example. The bug is indeed the combination of the typical JSON implementation with a complete lack of authenticating the requesting page.

Re:Conceptual problem

[smurfsurf]

No, it is not. Google does not return JSON data, it returns Javascript code. The embended call of the "google()" function with the contact data is the problem. Would it return just a JSON object, it would be inaccessible to the foreign page.

Re:Conceptual problem

The point is that JSON is defined such that it lends itself to being used in that way: A JSON message is a Javascript object definition, so it's only natural to put a var= in front of it or wrap it in a function call and load it as a script. This works universally, on all browsers, without the problems of the XMLHTTP object (which is an ActiveX object in IE6). It's an attractive way of using JSON (and IMHO the reason for the JSON notation in the first place), but it eliminates cross-domain security unless the server side requires extra authentication inside the request.

Some Background Information

[TubeSteak]

TFA has a link to this site for a demo:
http://googlified.com.googlepages.com/contactlist. htm

The page now says: Causing too much trouble already... I am sorry if it causes any inconvenience to you, or make you feeling the insecure of Google.

plugging googlified.com.googlepages.com into google
brings us to this url: http://blog.outer-court.com/forum/79255.html

Which in turn has a link to this site:
http://googlified.com/2006download-the-google-maps

A whois lookup on googlified.com

Domain Name.......... googlified.com
    Creation Date........ 2006-02-06
    Registration Date.... 2006-02-06
    Expiry Date.......... 2007-02-06
    Organisation Name.... Feng Zeng
    Organisation Address. [home(?) address]
    Organisation Address. Columbus
    Organisation Address. 43229
    Organisation Address. OH
    Organisation Address. UNITED STATES

Admin Name........... Haochi Chen
    Admin Address........ [home(?) address]
    Admin Address........ Columbus
    Admin Address........ 43229
    Admin Address........ OH
    Admin Address........ UNITED STATES
    Admin Email.......... haochi.chen@gmail.com
    Admin Phone.......... [real phone number]

P.S. http://googlified.com/about/
"More deeply, I am a 16 year old from the political battle ground in the United States - Ohio. I am currently a sophomore in a not-so-bad high school."

Re:Some Background Information

[hakrzcode]

How is this relevant? Does this make him a terrorist?

Re:Some Background Information

you're a stupid karma whoring faggot. offer something insightful u worthless sack of shit. hey wait, i know better. GO DIE

Re:Some Background Information

[clear_thought_05]

First: What does this have to do with the subject at hand? Off topic. -1
Second: If you take
http://googlified.com.googlepages.com/contactlist. htm
and just strip the html page and go to:
http://googlified.com.googlepages.com/
You'll find a link to googlified.com

Some things are so simple they're complicated I guess.

Not valid JSON, is it?

[claes]

I think the keys in JSON needs to be strings

Re:Not valid JSON, is it?

It's also not valid XML, not valid C, not valid Lisp, not valid French... what's your point?

Wow!

[repruhsent]

I'm glad that I run Firefox on Linux!

Oh wait...

Re:Makes me glad I switched back to IE7

[blueCommand]

That's funny. I can't seem to find the download link for Linux?

Fixed?

[prestonmcafee]

According to

http://blogs.zdnet.com/Google/?p=434
it is fixed.

Galeon too

[phrostie]

just FYI, it works with Galeon (2.x) as well.

Can be solved with HTTP referer

[moria]

I think it can be solved by Google checking HTTP referer before sending out the contact list via JSON, as long as the browser does not use cached content.

Re:Can be solved with HTTP referer

[vitality-jtw]

That wouldn't help as the referrer can be spoofed: http://en.wikipedia.org/wiki/Referer_spoofing

Re:Can be solved with HTTP referer

[moria]

That hack needs the user himself to install suicide spoof extensions/plugins. Since we trust the users, it should not be a concern. Good to know the problem has already been fixed.

Re:Can be solved with HTTP referer

[jZnat]

And to solve the cache problem, they send the "Cache-Control: no-store, no-cache, must-revalidate" header for that script.

Re:Can be solved with HTTP referer

You are wrong, and a moron.

http://www.webappsec.org/lists/websecurity/archive /2006-07/msg00069.html

That's a cluestick pwning you.

According to...

[deesine]

me, at 843 hours (PST), using FF 2.0.0.1, the problem is not fixed.

The Web browser as application portal

[Dystopian+Rebel]

These problems will not go away. Software engineers will always make mistakes and malevolent people will always want your private data. The Web is "open" by design and therefore open to exploits.

With the Web browser becoming an application portal, users need to understand that doing transactions that involve their personal data must be separate from general Web browsing.

You can switch off cookie permission and Javascript but this limits the functionality of many sites. I think the best solution is to use two different browsers, one for personal transactions, the other for wandering the Web.

it ought to be fine

[r00t]

Sure, I can hack the referrer to get into my own gmail account. Wooo, scary!

My browser should not grant this ability to random javascript it finds on the web.

Re:it ought to be fine

My browser should not grant this ability to random javascript it finds on the web.

Why not? You're underestimating both how simple it is to spoof a referrer, and how stupid it is to use the referrer for security purposes.

Wow

[Altanar]

C'mon, /. You're reporting this now? It's already been fixed.

Re:Wow

C'mon, Altanar. Click on the link in your own post and read it.

Re:Wow

[NereusRen]

C'mon, Altanar You're posting this now? It's not yet fixed.

(Yes, that's your own link. Read the discussion.)

Re:Wow

[Dan+Berlin]

Uh, docs.google.com being able to give you a list of contacts when you enter the address in *your* browser is not a bug or a security flaw.

The flaw *was* allowing *other sites* to use it as a src variable (IE someone *else's* site using that URL + your cookies).
This is indeed fixed.

phew! - doesn't spell relief for the mainstream

[doppiodave]

"We are lucky it was not Microsoft's Hotmail!"

i'm always happy to tell the tale of MS's FTC privacy bust in 2002. but there's a not so funny side to software vulnerabilities for the millions of poor slobs who aren't reading this thread, or any like it. i don't think the /. hardcore fully appreciate how skittish end-users have become about this stuff, esp since they can't tell fact from rumor, or javascript from egg nog (well, neither can i). step back and think about how the poor unwashed masses will feel when stories start circulating about some deadly hole, crack or loose gear in gmail.

the good news is that awareness and suspicion levels about software have gone way up in the last 18 months. the bad news is that skill and effort levels for dealing with this shit haven't gone anywhere. i get my read from the 3rd and 4th year undergrads i teach. smart as they may be, most are just beginning to sense that working on redmond's software may have a downside. the students in question were stunned recently when attachments created in Word were banned until further notice.

so what's the bottom line here? has google been getting too much whitewash? is the problem solved? should people be falling all over themselves to revive their hotmail accounts? can non-geeks ever find a realistic way to manage their software expectations?

disclaimer: we're doing several weeks this term on google. then vista's drm nightmare. i am not, however, prepared to disclose how many gmail invitations i sent out in 2006.

per-site fix is obvious

[r00t]

Lots of ways:

a. Place a 128-bit random number (UUID/GUID) into the URL for the contacts info.

b. Check the referrer. (foreign javascript should not be able to forge this)

c. Place an encrypted copy of the cookie into the URL of the contacts info.

d. Embed the contacts info in the page instead.

can't spoof it

[r00t]

Who has the gmail cookie?
Who wants to do the spoofing?
How is the spoofer going to get the cookie?

Right...

Re:can't spoof it

[yosofun]

Who has the gmail cookie? ... js Who wants to do the spoofing? ... evilMan How is the spoofer going to get the cookie? ... ajax

Re:can't spoof it

[r00t]

So you have a zero-day browser vulnerability that lets you see cookies from other sites. Good for you.

Mind sharing?

Your zero-day vulnerability is way bigger news than this gmail bug.

Don't volunteer that much info to Google

[mabu]

This is only a problem for people who are violating one of the primary security policies in the first place, and that's putting your contact list in Gmail in the first place. While Google may claim to not be evil now, there's no guarantee at any time in the future, all the information they collect from you and on you won't be given or sold to other entities or otherwise exploited for nefarious purposes. In fact, it's pretty much an inevitability this will happen, so it's not smart in the first place to store much information on their systems when more secure alternatives already exist.

Re:Don't volunteer that much info to Google

[shellbeach]

This is only a problem for people who are violating one of the primary security policies in the first place, and that's putting your contact list in Gmail in the first place. While Google may claim to not be evil now, there's no guarantee at any time in the future, all the information they collect from you and on you won't be given or sold to other entities or otherwise exploited for nefarious purposes. Whilst this is true, it's just the same as giving one's details to banks, credit card companies, phone companies, etc, etc ... they all have access to private and confidential information. I'm not sure that there's any more reason to suspect that they're any better or worse than Google - and judging from all the credit card snail-mail spam (from rival companies) that I've got since reluctantly obtaining a credit card, there's very good evidence to suggest that they wilfully share this info.

Of course, by placing all your email in the hands of a company, you're undoubtedly taking a huge risk. But - perhaps unfortunately - it doesn't stop me doing it! I guess you have to hope that the huge amounts of bad will and loss of custom a company would get from using or distributing such information is incentive enough to leave well alone ...

Re:Don't volunteer that much info to Google

It occured to me the other day that so many people are now using google analytics, and since I almost always have a gmail tab open, so now google tracks me by name, and they now have a very thourough and detailed map of my browsing habits. I wonder how much money that could make them if they decide to exploit it.

Fixed for me...

[carney1979]

As reported, it is fixed, at least in my case where I'm using Firefox 2.0 on Linux.

I like how open source software bugs get fixed (usually) really fast when compared to non-open source software.

David

Re:Fixed for me...

[CNeb96]

It's a problem with gmail which effects every browser. No open source software involved.

Not Fixed

[astrosmash]

Still works for me. You can run this script from a local html file to check:

<html>
<head>
<script>
function google(a) {
document.write("<ol>");
for (i = 0; i < a.Body.Contacts.length; i++) {
document.write("<li>" + a.Body.Contacts[i].Email + "</li>");
}
document.write("</ol>");
}
</script>
<script src="http://docs.google.com/data/contacts?out=js&s how=ALL&psort=Affinity&callback=google&max=99999"> </script></head>
<body>
Hello
</body>
</html>

Re:Not Fixed

[complete+loony]

JS is often cached. The code you posted did not work for me.

3rd party cookie problem

[rogersc]

It looks to me as if the real culprit is 3rd party cookies. These have almost no legitimate use, and are mainly used by advertisers like doubleclick.net to track users. Third party cookies are turned on by default in the browsers, but you can turn them off. This is another reason to turn them off.

D is an AJAX candidate

You forgot AJAX: Store the contacts on the server as an XML resource and let the browser cache the XML. Replace the JSON load/unload code with stuff that loads the XML contact resources in the background and invalidates the cache with blank data at logout.

Hmm

Only happens in FireFox....and not IE7 (IE6 wasn't tested). at the time of my posting this, only 66 replies.

Funny. If it said "this only happens in IE" there would be 500+ replies, all saying how badly IE sucks and how you should use Opera or FF.

Funny how the /. fanbois ignore things that are exposures of security issues with Firefox...

Re:Hmm

[RvLeshrac]

Better yet, if it was a vulnerability that only affected IE, it would be IE's fault.

Since the vulnerability only shows up in Firefox, however, it obviously must be the website's fault.

Think of the absurdity. "Three individuals purchased steak from Tesco recently. One of the individuals died after braising her cut in potassium cyanide, and a full investigation has been launched against the grocer. The other two individuals cited have suffered no ill effects."

Speaking of grammar errors...

[Artifice_Eternity]

"By simply logging in to GMail and visiting a website, a malicious website can steal your contact list, and all their details. ..."

In other words, the submitter says that when a malicious website logs into Gmail and visits a website, it can steal my contact list.

Someone needs to learn how to use dependent clauses. The subject of the sentence above is a malicious website, and that's who is being described in the dependent clause as logging into Gmail and visiting a website.

Untested in most used browser?

How can get to front page an article about some browser vulnerabilities that says it's untested on the most used one?
"With some cell phones you can call for free. It works with Phillips and Siemens, it does not on Panasonic, and has not been tested on Nokia, SonyEriccson or Motorola."
Lol, then test it before wasting our time.

I'm running at least two Firefox

I'm using one Firefox instance only for GMail/Yahoo!/eBay/banking website and another one for surfing. Both instances are launched from separate user accounts, displayed on the same X (but in different 'virtual desktops'). I don't ever enter any personal information in the 'unsafe' user account I use for surfing. It's a sad state of affair, but it's a fact that the lists of vulnerabilities for every single browser is lloonngg (browser more secure than IE [not hard] have regularly vulnerabilities rated 'critical'). So a long time ago I decided that surfing from my main user account was not a good idea. This post brougth to you by a throwaway user called 'temp' that has only one non-hidden dir: ~/firefox/. For some time I was even surfing using a temp user on a throwaway Xen para-virtualized Linux guest, but sometimes I watch some Youtube/Metacafe crap and it wasn't nice over VNC.

Re:Typical of /.

Waaahhhh!!!

Nope; it's more of Google's arrogant sloppiness

I like how so many of you are pointing the blame to anyone BUT Google.
Susbsitute Hotmail for GMail in the article, and see if you have the same spin.
We all know that if hotmail had this vulnerability, there'd be hundreds of posts here gloating. Instead, we have Google sycophants spinning like crazy!!

Get it through your thick skulls - Google's programmers are no better than anyone elses. They all come from the same universities. Google programmers are not gods, they're humans, and just as capable as screwups as anyone else. Maybe even more so, given the arrogance of the company that leads their employees to believe their own press clippings about how superiour they are to anyone else.

This is not the first time that Google has been extremely sloppy and careless with users' personal info, and it won't be the last.
And to think, this is the company that slashdotters advocate businesses use for corporate email and corporate document storage!! LOLOLOL

Re:Wow - MODERATORS PLEASE READ

[multisync]

C'mon, mods. Follow the links and read before moderating.

nope

[r00t]

I spoof the referrer all the time, using the "wget" command. That does no good for attacking gmail though, because how am I to get the required cookie?

The spoof would have to work from Javascript or Java, creating connections on behalf of the user. Merely opening a TCP/IP socket won't do, because you'd not be able to shove the cookie down the wire.

Re:nope

[mrchaotica]

I don't know a whole lot about cookies, but wouldn't you think `wget` would provide a way to download them if you need to?

Re:nope

[r00t]

You can certainly get YOUR OWN cookies using wget. You may then use wget to break into your own account. You can even create defective cookies, which can be used for some fun at horrifically-designed web sites.

You don't get to run wget from within a browser belonging to somebody else, which is where you need to do the spoofing if you want to grab contacts info from somebody else.

GMail is beta

[asCii88]

You shouldn't be suprised... as you all know GMail is still in beta.

Re:GMail is beta

[owlstead]

Hmm, funny you would mention that. It seems to be a pretty stupid bug, but maybe this is why it is still in beta, not just because Google tries to get out of their responsabilities.

Doesn't work in Opera 9.02

[Rui+del-Negro]

It doesn't seem to work in Opera 9.02, despite some people saying that it works on every browser. Either Google has changed something or the example code isn't working.

Doesn't work in GYAFD

Worth noting that this exploit doesn't work at all if you use Google Apps For Your Domain, you just get a JS file saying "success: false"

Explanation & Possible Solutions

[kazad]

I posted this on reddit which broke the story earlier, and on my blog. Thought you might find it useful.

Quick follow-up. On digg someone posted the un-obfuscated code: http://www.cc.gatech.edu/~achille/contacts-source. txt

How it works

The code is pretty straightforward. Basically, Google docs has an embedded script that will run a callback function, passing the function your contact list as an object. The embedded script presumably checks a cookie to ensure you are logged into a Google account before handing over the list.

Unfortunately, the script doesnt check what page is making the request. So, if you are logged in on window 1, window 2 (an evil site) can make the function call. Since you are logged in somewhere, the cookie is valid and the request goes through.

Also, if you check the object that is returned, you see fields for the contact's name, email and "affinity". Presumably, a higher affinity means a more-emailed contact, so it may be possible to know the relative weight of links.

Possible solutions

Google is run by smart people and I'm sure they'll have this fixed soon. A few suggestions appear to be popping up, all centered on making sure the user is on a Google.com page and not a random site:

Referrer blocking: Block all requests from sites not in the google.com domain. However, some people run referrer-blocking software. It may be the price they have to pay for security, but there could be other consequences.

Script checks: An idea I had was to check the window.location (just like you check the cookie) to make sure it's coming from a google.com domain. This is another way to see what page is making the request.

Challenge-response: Google pages (like Gmail) can have some token or unique, computed data that they submit with their requests. Random pages won't have access to this token when they make the function call.

(From user JRF on reddit): Include part of cookie in the request URL as a unique token that only a "real" Google page would know. Need to watch out for proxies/browser history (accessible from other pages) being able to access this unique data. May need to seed or salt it in a challenge-response system.

It's interesting thinking of fixes for this - do you have any other suggestions for how Google would fix this?

Re:Explanation & Possible Solutions

[appavi]

I have posted this solution earlier in this thread. Since you are asking I am posting it again. Easiest way is to filter by HTTP Request method.
1. Check for the HTTP Request method. If it is POST, send the data. For other request methods like HEAD, GET send HTTP Status code 403(Forbidden).
2. For Google applications, they should use XMLHttpRequest and POST method to retrieve the data. This will be allowed due to same domain policy.
3. Unless otherwise specified, browsers does a GET request for a required resource. So javascript url in scripts tag of third party web sites will be processed as GET by browser and will get a 403 response code. So third party websites must use POST to get google data which is impossible due to same domain restrictions.

Re:Explanation & Possible Solutions

[IAmGarethAdams]

I agree with your comments, but a 405 (Method Not Allowed) HTTP status code would be an ideal choice rather than 403

Re:Explanation & Possible Solutions

[appavi]

Thanks for your comment. I forgot about 405. 405 will be the appropriate status code in this case.

Re:Explanation & Possible Solutions

[kazad]

Thanks for the comment. I had wondered about POST requests as well, but a few sources seem to say that POST requests can be forged using Javascript.

http://getahead.ltd.uk/blog/joe/2007/01/01/csrf_at tacks_or_how_to_avoid_exposing_your_gmail_contacts .html

"Switching to POST and denying GET: Forms can be trivially altered with DOM manipulation to forge POST requests."

I'm not an expert in CSRF (hadn't heard about it till this incident, which sparked my interest), but is this a problem? Do you know how this could be done?

Re:Explanation & Possible Solutions

[appavi]

Even I am also new to Cross site scripting and I am learning about it. Today I discovered that I was wrong when I said third party websites cant make POST request to websites in different domain. Actually they can make POST requests through iframes but they cant read the data sent by the server due to same origin policy[1].

When a request is sent to the server either one of the following things may happen,
1. Data remains the same in the server after the server completes the request.
Ex. Get the list of all contacts. In this case data is not changed in the server side. This is just a Data request.
2. Data gets changed due to the incoming request.
Ex. Transfer $100 from Account A to B. In this case data gets changed in the server side.

My solution works only for request which are of type 1 and it will fail for requests of type 2. Gmail vulnerability discovered now belongs to type 1 request where data is not changed. Even if the third party web sites makes a POST request to Google site, they will not be able to read the data. So my solution works for Gmail vulnerability but it may not work for other type of requests where data is changed in the server side due to the client request.

[1] I simulated this case in my pc, I was able to make POST requests using to a different website iframes. But I was not able to read the data that was sent from the server to the iframe. If you want peek at these files, just drop me an email.

First link in the aritcle

[rootEToTheIPi]

I tried the first link in the article and I got a page with only this text: google ({ Success: false, Errors: [] }) It seems to not work. I'm using Firefox v. 1.5.0.9, and I was logged in to gmail at the time. Can anyone explain this?

Re:First link in the aritcle

[ninjapiratemonkey]

They fixed the javascript problem, but your contact list can still be accessed through xml so, while the original problem that was found has been corrected, there's still other problems that work just as well, and probably many more yet to be discoverd ones.

Re:First link in the aritcle

[nwbvt]

You mean probably many more yet to be published ones. Google (and the rest of us) will only find out about these if the person who finds them is nice enough to tell everyone. While I'm guessing most people in the world are nice enough to do that, its the few who aren't that I'm worried about...

But I guess these security violations and performance problems and accessibility issues are all small prices to pay if you want a fancy "Web 2.0" website...

Some details on how it works

[joe_fish]

It's a CSRF attack. For more details see this blog post http://getahead.ltd.uk/blog/joe/2007/01/01/csrf_at tacks_or_how_to_avoid_exposing_your_gmail_contacts .html#preview

Nonsense

[truth_revealed]

XML has no special cross-domain security over plain JSON.

JSON is not the problem here. The problem was the stupid google({}) function call wrapped around the JSON in the reply. Remove that stupid function call and everything is fine. Since you cannot receive or send data via XmlHttpRequest to a domain other than the one that served up the HTML, you will not be at risk if only JSON is returned.

The sky is falling!
The sky is falling!
Sheesh.

Re:Nonsense

[Bogtha]

XML has no special cross-domain security over plain JSON.

It's not XML that is special, it's JSON, because it can be parsed as JavaScript.

Since you cannot receive or send data via XmlHttpRequest to a domain other than the one that served up the HTML, you will not be at risk if only JSON is returned.

You misunderstand, the whole point is that you don't need XMLHttpRequest if the data can be parsed as JavaScript. You just need to include it with a <script> element.

Re:Nonsense

[kalirion]

You misunderstand, the whole point is that you don't need XMLHttpRequest if the data can be parsed as JavaScript. You just need to include it with a element.

Huh? I must be missing something big here, because I thought the whole point of XMLHttpRequest is so that you could easily query the server for data without reloading any pages or (i)frames. Lots of people get that data in XML format, others use plain text, and seems others use JSON. Whatever the format, you need XMLHttpRequest to get that data from the server. If you just included it in a element on page load, it would be a plain old "WEB 1.0" web page, the kind you get if you click on the "Basic HTML" link in GMail.

Re:Nonsense

[mongus]

You don't have to use XMLHttpRequest. You can dynamically add a script node to the document if you've got JavaScript you want to include from a different site.

Here's an example.

Re:Nonsense

[truth_revealed]

It is very simple. The text google({"foo":"bar"}) is valid javascript when included and parsed via a script tag. The JSON text {"foo":"bar"} is not valid Javascript when included parsed via a script tag. It is a syntax error in Firefox, Mozilla, IE6 and every browser I've tried.

I only mentioned XmlHttpRequest because some have incorrectly argued that you could still make an XHR call to a foreign website and get the raw JSON information. XHR prevents this with its site-of-origin policy. This bug was solely caused by Google's incorrect use of Javascript.

JSON is fine for use in AJAX web sites, and the sky is not falling.

Re:Nonsense

[kalirion]

Oh, I didn't realize you could do that. Well, learn something new every day :) Thanks!

+5 Right on the Money

[truth_revealed]

I agree completely. It is a Google bug, plain and simple. JSON in a browser is perfectly safe if used correctly.

not anymore

[Sledgedot]

google has already fixed this problem

Fixed

[linuxci]

It has now been fixed.

Re:Fixed

[davidmcg]

Not quite, that particular exploit has been fixed but the list is still freely available in XML form.

What A Waste

[cwells]

This was a complete waste of a post! Unless its intent was to drum up some reader responses due to a decline in web activity which perhaps led to a decline in revenue for this site. Just thinking out loud.

My solution

[XNormal]

I run gmail and other google services requiring login from a separate browser. Set the theme so this browser is visually distinct from your main browser. On Linux use a wrapper script to start with a different user. On Windows you can use K-Meleon (unfortunately, PortableFirefox cannot run in parallel with regular firefox).

Not perfect, but it works for me.