Slashdot Mirror

← Back to Stories (view on slashdot.org)

GMail Vulnerable To Contact List Hijacking

Posted by Hemos on from the in-special-circumstances dept.

Anonymous Coward writes "By simply logging in to GMail and visiting a website, a malicious website can steal your contact list, and all their details. The problem occurs because Google stores the contact list data in a Javascript file. So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7. IE6 was un-tested as of now."

3 of 139 comments (clear)

  1. Explanation & Possible Solutions by kazad · · Score: 2, Interesting

    I posted this on reddit which broke the story earlier, and on my blog. Thought you might find it useful.

    Quick follow-up. On digg someone posted the un-obfuscated code: http://www.cc.gatech.edu/~achille/contacts-source. txt

    How it works

    The code is pretty straightforward. Basically, Google docs has an embedded script that will run a callback function, passing the function your contact list as an object. The embedded script presumably checks a cookie to ensure you are logged into a Google account before handing over the list.

    Unfortunately, the script doesnt check what page is making the request. So, if you are logged in on window 1, window 2 (an evil site) can make the function call. Since you are logged in somewhere, the cookie is valid and the request goes through.

    Also, if you check the object that is returned, you see fields for the contact's name, email and "affinity". Presumably, a higher affinity means a more-emailed contact, so it may be possible to know the relative weight of links.

    Possible solutions

    Google is run by smart people and I'm sure they'll have this fixed soon. A few suggestions appear to be popping up, all centered on making sure the user is on a Google.com page and not a random site:

    Referrer blocking: Block all requests from sites not in the google.com domain. However, some people run referrer-blocking software. It may be the price they have to pay for security, but there could be other consequences.

    Script checks: An idea I had was to check the window.location (just like you check the cookie) to make sure it's coming from a google.com domain. This is another way to see what page is making the request.

    Challenge-response: Google pages (like Gmail) can have some token or unique, computed data that they submit with their requests. Random pages won't have access to this token when they make the function call.

    (From user JRF on reddit): Include part of cookie in the request URL as a unique token that only a "real" Google page would know. Need to watch out for proxies/browser history (accessible from other pages) being able to access this unique data. May need to seed or salt it in a challenge-response system.

    It's interesting thinking of fixes for this - do you have any other suggestions for how Google would fix this?

  2. Re:Don't volunteer that much info to Google by shellbeach · · Score: 2, Interesting

    This is only a problem for people who are violating one of the primary security policies in the first place, and that's putting your contact list in Gmail in the first place. While Google may claim to not be evil now, there's no guarantee at any time in the future, all the information they collect from you and on you won't be given or sold to other entities or otherwise exploited for nefarious purposes. Whilst this is true, it's just the same as giving one's details to banks, credit card companies, phone companies, etc, etc ... they all have access to private and confidential information. I'm not sure that there's any more reason to suspect that they're any better or worse than Google - and judging from all the credit card snail-mail spam (from rival companies) that I've got since reluctantly obtaining a credit card, there's very good evidence to suggest that they wilfully share this info.

    Of course, by placing all your email in the hands of a company, you're undoubtedly taking a huge risk. But - perhaps unfortunately - it doesn't stop me doing it! I guess you have to hope that the huge amounts of bad will and loss of custom a company would get from using or distributing such information is incentive enough to leave well alone ...

  3. Nonsense by truth_revealed · · Score: 2, Interesting

    XML has no special cross-domain security over plain JSON.

    JSON is not the problem here. The problem was the stupid google({}) function call wrapped around the JSON in the reply. Remove that stupid function call and everything is fine. Since you cannot receive or send data via XmlHttpRequest to a domain other than the one that served up the HTML, you will not be at risk if only JSON is returned.

    The sky is falling!
    The sky is falling!
    Sheesh.