Slashdot Mirror

← Back to Stories (view on slashdot.org)

GMail Vulnerable To Contact List Hijacking

Posted by Hemos on from the in-special-circumstances dept.

Anonymous Coward writes "By simply logging in to GMail and visiting a website, a malicious website can steal your contact list, and all their details. The problem occurs because Google stores the contact list data in a Javascript file. So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7. IE6 was un-tested as of now."

18 of 139 comments (clear)

  1. Submitter has a problem with Firefox? by CTho9305 · · Score: 5, Informative

    RTFA:
    I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three.

    Does the submitter have some agenda against Firefox?

    --
    My server
    1. Re:Submitter has a problem with Firefox? by Tim+C · · Score: 4, Informative

      It works fine in my install of FF 2.0.0.1; you have to be logged in to gmail for it to work. Despite what it says in the summary, it also works in IE7 - in fact, it'll work in any browser that

      * supports cookies
      * supports loading of resources from domains other than the one the currently-loaded page is hosted on
      * supports accessing those resources

      ie pretty much all (modern) browsers.

      --
      It's official. Most of you are morons.
    2. Re:Submitter has a problem with Firefox? by Tim+C · · Score: 2, Informative

      Strangely enough, it's no longer working for me in Firefox (2.0.0.1, WinXP); I think google may have fixed the problem. Whether it's a real fix or an obscuration I have no idea.

      --
      It's official. Most of you are morons.
  2. Re:Which is the problem? by Stalus · · Score: 4, Informative

    Works fine in IE6. TFA states "I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three." so I'm not sure where the poster got the idea that it was Firefox only.

  3. It's an information leak by MarkByers · · Score: 4, Informative

    http://docs.google.com/data/contacts?out=js&show=A LL&psort=Affinity&callback=google&max=99999

    It can be exploit by writing a callback function in Javascript, that can do anything, and then passing it to the above link, which gives your function all the users contact info.

    --
    I'll probably be modded down for this...
    1. Re:It's an information leak by whiteknight31 · · Score: 3, Informative

      Heres the code that the original site used. http://www-static.cc.gatech.edu/~achille/contacts- source.txt

  4. Re:Works in most any java-script browser by MarkByers · · Score: 2, Informative

    Actually it is not stored locally in Javascript. I assume that the information is stored in some sort of filesystem / database and converted to Javascript on the fly to ease integration with other applications. You can also get the same information as XML if you prefer:

    http://docs.google.com/data/contacts

    --
    I'll probably be modded down for this...
  5. Conceptual problem by JackHoffman · · Score: 5, Informative

    Loading script files to exchange data with the server is a very common mechanism. It even has a name: JSON. It wouldn't surprise me to find that there are many more web applications which could be exploited in this way. This isn't a browser vulnerability or a simple bug. It is a design flaw of a widely used communication protocol.

    1. Re:Conceptual problem by zataang · · Score: 2, Informative

      Please don't jump to conclusions. As one of the comment above notes, cross-domain xmlHTTPRequests are anyway blocked by all the main browsers. The problem in this case is because of a particular way in which the data is stored by Gmail. Calling it a design flaw of JSON is stupid.

  6. Fixed? by prestonmcafee · · Score: 4, Informative
    According to

    http://blogs.zdnet.com/Google/?p=434
    it is fixed.

  7. Re:How does this work by dolphinling · · Score: 3, Informative

    No. Cross-domain xmlhttprequests are blocked by firefox at least, and I'd suspect by other browsers as well. The point is that you don't have to do a cross-domain xmlhttprequest here, since google conveniently stores it in a separate javascript file, and that is embeddable in other pages.

    --
    There are 11 types of people in the world: those who can count in binary, and those who can't.
  8. Galeon too by phrostie · · Score: 2, Informative

    just FYI, it works with Galeon (2.x) as well.

  9. Re:How does this work by TubeSteak · · Score: 4, Informative

    Here's the super simple explanation

    1. Gmail sets a cookie saying you're logged in
    2. A [3rd party] javascript tells you to call Google's script
    3. Google checks for the Gmail cookie
    4. The cookie is valid
    5. Google hands over the requested data to you

    If [3rd party] wanted to keep your contact list, the javascript would pass it to a form and your computer would happily upload the list to [3rd party]'s server.

    At no point does [3rd party] make any request to Google.

    --
    [Fuck Beta]
    o0t!
  10. Wow by Altanar · · Score: 4, Informative

    C'mon, /. You're reporting this now? It's already been fixed.

  11. per-site fix is obvious by r00t · · Score: 2, Informative

    Lots of ways:

    a. Place a 128-bit random number (UUID/GUID) into the URL for the contacts info.

    b. Check the referrer. (foreign javascript should not be able to forge this)

    c. Place an encrypted copy of the cookie into the URL of the contacts info.

    d. Embed the contacts info in the page instead.

  12. Re:it ought to be fine by Anonymous Coward · · Score: 1, Informative
    My browser should not grant this ability to random javascript it finds on the web.

    Why not? You're underestimating both how simple it is to spoof a referrer, and how stupid it is to use the referrer for security purposes.

  13. Not Fixed by astrosmash · · Score: 4, Informative

    Still works for me. You can run this script from a local html file to check:

    <html>
    <head>
    <script>
    function google(a) {
    document.write("<ol>");
    for (i = 0; i < a.Body.Contacts.length; i++) {
    document.write("<li>" + a.Body.Contacts[i].Email + "</li>");
    }
    document.write("</ol>");
    }
    </script>
    <script src="http://docs.google.com/data/contacts?out=js&s how=ALL&psort=Affinity&callback=google&max=99999"> </script></head>
    <body>
    Hello
    </body>
    </html>

    --
    ENDUT! HOCH HECH!
  14. Re:Which is the problem? by buro9 · · Score: 4, Informative

    It's a problem with web services that comes from an assumption that JavaScript cross-domain security is in place.

    When you surface data via Xml web services, you can only call the web service on the domain that the JavaScript calling it originates from. So if you write your web services with AJAX in mind exclusively, then you have made the assumption that JavaScript is securing your data.

    The problem is created at two points:
    1) When you rely on cookies to perform the implicit authentication that reveals the data.
    2) When you allow rendering of the data in JSON which bypasses JavaScript cross-domain security.

    This can be solved by doing two things:
    1) Make one of the parameters to a web service a security token that authenticates the request.
    2) Make the security token time-sensitive (a canary) so that a compromised token does not work if sniffed and used later.

    The security token should be gathered by authenticating the user according to a mechanism that the user controls. Think of the way that the Flickr API asks you to grant an application access to your data.

    Anyhow, use the noscript extension in Firefox to ensure that your data is not compromised, as you will be able to choose to block the script from running, and in doing so prevent others from gaining access to your data.

    The Internet Exporer alternative is to disable JavaScript, but few people ever do this because too few sites (especially Web2.0 sites) degrade gracefully when JavaScript is disabled.