Slashdot Mirror

← Back to Stories (view on slashdot.org)

GMail Vulnerable To Contact List Hijacking

Posted by Hemos on from the in-special-circumstances dept.

Anonymous Coward writes "By simply logging in to GMail and visiting a website, a malicious website can steal your contact list, and all their details. The problem occurs because Google stores the contact list data in a Javascript file. So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7. IE6 was un-tested as of now."

2 of 139 comments (clear)

  1. Some Background Information by TubeSteak · · Score: 0, Offtopic
    TFA has a link to this site for a demo:
    http://googlified.com.googlepages.com/contactlist. htm

    The page now says: Causing too much trouble already... I am sorry if it causes any inconvenience to you, or make you feeling the insecure of Google.

    plugging googlified.com.googlepages.com into google
    brings us to this url: http://blog.outer-court.com/forum/79255.html

    Which in turn has a link to this site:
    http://googlified.com/2006download-the-google-maps

    A whois lookup on googlified.com
    Domain Name.......... googlified.com
        Creation Date........ 2006-02-06
        Registration Date.... 2006-02-06
        Expiry Date.......... 2007-02-06
        Organisation Name.... Feng Zeng
        Organisation Address. [home(?) address]
        Organisation Address. Columbus
        Organisation Address. 43229
        Organisation Address. OH
        Organisation Address. UNITED STATES

    Admin Name........... Haochi Chen
        Admin Address........ [home(?) address]
        Admin Address........ Columbus
        Admin Address........ 43229
        Admin Address........ OH
        Admin Address........ UNITED STATES
        Admin Email.......... haochi.chen@gmail.com
        Admin Phone.......... [real phone number]


    P.S. http://googlified.com/about/
    "More deeply, I am a 16 year old from the political battle ground in the United States - Ohio. I am currently a sophomore in a not-so-bad high school."
    --
    [Fuck Beta]
    o0t!
  2. 3rd party cookie problem by rogersc · · Score: 0, Offtopic

    It looks to me as if the real culprit is 3rd party cookies. These have almost no legitimate use, and are mainly used by advertisers like doubleclick.net to track users. Third party cookies are turned on by default in the browsers, but you can turn them off. This is another reason to turn them off.