GMail Vulnerable To Contact List Hijacking

Anonymous Coward writes "By simply logging in to GMail and visiting a website, a malicious website can steal your contact list, and all their details. The problem occurs because Google stores the contact list data in a Javascript file. So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7. IE6 was un-tested as of now."

Which is the problem?

[Zaphod-AVA]

So is this a Firefox, Gmail, or javascript vulnerability?

Re:Which is the problem?

[Bogtha]

GMail. JSON should not be used for sensitive data because any old website can reference it simply by including it as an external script. The Google developers should not have used JSON for this information, they did, and that is why this information leak exists. There are ways to protect JSON from this (e.g. nonces) but you have to actually add this security yourself, rather than relying on the browser's built-in cross-domain security like you could if you were using XML etc.

Works in most any java-script browser

[wnknisely]

According to the reports on Digg this hack works in all modern browsers. The real fix is probably to stop storing the contact list in a local java-script based file. (Or to always be sure to log out of Google after visiting a google page.)

http://www.digg.com/programming/GMail_Hacked_Visit _ANY_Website_and_Your_Whole_Contact_List_Can_be_St olen

Re:Works in most any java-script browser

[Elentari]

Hopefully, one main difference between Digg and Slashdot is that the users here won't go and deliberately click the URL to watch their own account get hacked.

Why do I bother with this site?

[Inda]

Slashdot says:

"So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7"

TFA says:

"I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three."

Got any jobs going? I could do nice armchair job at Slashdot. I'd be willing to work the full 3 hours a week.