GMail Vulnerable To Contact List Hijacking

Anonymous Coward writes "By simply logging in to GMail and visiting a website, a malicious website can steal your contact list, and all their details. The problem occurs because Google stores the contact list data in a Javascript file. So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7. IE6 was un-tested as of now."

Which is the problem?

[Zaphod-AVA]

So is this a Firefox, Gmail, or javascript vulnerability?

Re:Which is the problem?

[Stalus]

Works fine in IE6. TFA states "I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three." so I'm not sure where the poster got the idea that it was Firefox only.

Re:Which is the problem?

[Bogtha]

GMail. JSON should not be used for sensitive data because any old website can reference it simply by including it as an external script. The Google developers should not have used JSON for this information, they did, and that is why this information leak exists. There are ways to protect JSON from this (e.g. nonces) but you have to actually add this security yourself, rather than relying on the browser's built-in cross-domain security like you could if you were using XML etc.

Re:Which is the problem?

[buro9]

It's a problem with web services that comes from an assumption that JavaScript cross-domain security is in place.

When you surface data via Xml web services, you can only call the web service on the domain that the JavaScript calling it originates from. So if you write your web services with AJAX in mind exclusively, then you have made the assumption that JavaScript is securing your data.

The problem is created at two points:
1) When you rely on cookies to perform the implicit authentication that reveals the data.
2) When you allow rendering of the data in JSON which bypasses JavaScript cross-domain security.

This can be solved by doing two things:
1) Make one of the parameters to a web service a security token that authenticates the request.
2) Make the security token time-sensitive (a canary) so that a compromised token does not work if sniffed and used later.

The security token should be gathered by authenticating the user according to a mechanism that the user controls. Think of the way that the Flickr API asks you to grant an application access to your data.

Anyhow, use the noscript extension in Firefox to ensure that your data is not compromised, as you will be able to choose to block the script from running, and in doing so prevent others from gaining access to your data.

The Internet Exporer alternative is to disable JavaScript, but few people ever do this because too few sites (especially Web2.0 sites) degrade gracefully when JavaScript is disabled.

Re:Which is the problem?

Uhhh... you should be thanking these "bozos" for releasing the exploit so it can be fixed, tough-programmer-guy. If your programmer friends are such l337 d00ds then maybe they'd find and fix some of these exploits themselves, instead of being blindly vulnerable until some "bozos" save their ass. BTW, what does being a programmer have to do with being able to "retaliate" against some obviously much smarter programmers? Gonna send them some code? Gonna do a double compile on their bitch asses?

Why dont you ask your l337 h@X0r buddies to just look at the code. Then you'd see how the vulnerability works, and what information it can retrieve. Though I dont know if the code will look right when they try to open it in VB.

Submitter has a problem with Firefox?

[CTho9305]

RTFA:
I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three.

Does the submitter have some agenda against Firefox?

Re:Submitter has a problem with Firefox?

[islanduniverse]

I'm glad I've switched back to IE7!

Re:Submitter has a problem with Firefox?

[Tim+C]

It works fine in my install of FF 2.0.0.1; you have to be logged in to gmail for it to work. Despite what it says in the summary, it also works in IE7 - in fact, it'll work in any browser that

* supports cookies
* supports loading of resources from domains other than the one the currently-loaded page is hosted on
* supports accessing those resources

ie pretty much all (modern) browsers.

Re:Submitter has a problem with Firefox?

[Tim+C]

Strangely enough, it's no longer working for me in Firefox (2.0.0.1, WinXP); I think google may have fixed the problem. Whether it's a real fix or an obscuration I have no idea.

Phew!

[sorrill]

We are lucky it was not Microsoft's Hotmail!

Works in most any java-script browser

[wnknisely]

According to the reports on Digg this hack works in all modern browsers. The real fix is probably to stop storing the contact list in a local java-script based file. (Or to always be sure to log out of Google after visiting a google page.)

http://www.digg.com/programming/GMail_Hacked_Visit _ANY_Website_and_Your_Whole_Contact_List_Can_be_St olen

Re:Works in most any java-script browser

[Elentari]

Hopefully, one main difference between Digg and Slashdot is that the users here won't go and deliberately click the URL to watch their own account get hacked.

Re:Works in most any java-script browser

[MarkByers]

Actually it is not stored locally in Javascript. I assume that the information is stored in some sort of filesystem / database and converted to Javascript on the fly to ease integration with other applications. You can also get the same information as XML if you prefer:

http://docs.google.com/data/contacts

Re:Works in most any java-script browser

[thopkins]

Most users on Slashdot won't click any links, especially links for the articles on which they are about to comment. ;)

It's an information leak

[MarkByers]

http://docs.google.com/data/contacts?out=js&show=A LL&psort=Affinity&callback=google&max=99999

It can be exploit by writing a callback function in Javascript, that can do anything, and then passing it to the above link, which gives your function all the users contact info.

Re:It's an information leak

[whiteknight31]

Heres the code that the original site used. http://www-static.cc.gatech.edu/~achille/contacts- source.txt

Why do I bother with this site?

[Inda]

Slashdot says:

"So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7"

TFA says:

"I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three."

Got any jobs going? I could do nice armchair job at Slashdot. I'd be willing to work the full 3 hours a week.

Re:Why do I bother with this site?

[Headcase88]

I could do nice armchair job at Slashdot.

Not with that sentence structure. You only made one grammar error. You could never be a /. editor.

Thank goodness

[messner_007]

Thank goodness. I was beginning to think that no one cared about my contacts.

Conceptual problem

[JackHoffman]

Loading script files to exchange data with the server is a very common mechanism. It even has a name: JSON. It wouldn't surprise me to find that there are many more web applications which could be exploited in this way. This isn't a browser vulnerability or a simple bug. It is a design flaw of a widely used communication protocol.

Re:Conceptual problem

[zataang]

Please don't jump to conclusions. As one of the comment above notes, cross-domain xmlHTTPRequests are anyway blocked by all the main browsers. The problem in this case is because of a particular way in which the data is stored by Gmail. Calling it a design flaw of JSON is stupid.

Wow!

[repruhsent]

I'm glad that I run Firefox on Linux!

Oh wait...

Fixed?

[prestonmcafee]

According to

http://blogs.zdnet.com/Google/?p=434
it is fixed.

Re:How does this work

[dolphinling]

No. Cross-domain xmlhttprequests are blocked by firefox at least, and I'd suspect by other browsers as well. The point is that you don't have to do a cross-domain xmlhttprequest here, since google conveniently stores it in a separate javascript file, and that is embeddable in other pages.

Galeon too

[phrostie]

just FYI, it works with Galeon (2.x) as well.

Re:How does this work

[TubeSteak]

Here's the super simple explanation

1. Gmail sets a cookie saying you're logged in
2. A [3rd party] javascript tells you to call Google's script
3. Google checks for the Gmail cookie
4. The cookie is valid
5. Google hands over the requested data to you

If [3rd party] wanted to keep your contact list, the javascript would pass it to a form and your computer would happily upload the list to [3rd party]'s server.

At no point does [3rd party] make any request to Google.

Wow

[Altanar]

C'mon, /. You're reporting this now? It's already been fixed.

per-site fix is obvious

[r00t]

Lots of ways:

a. Place a 128-bit random number (UUID/GUID) into the URL for the contacts info.

b. Check the referrer. (foreign javascript should not be able to forge this)

c. Place an encrypted copy of the cookie into the URL of the contacts info.

d. Embed the contacts info in the page instead.

Not Fixed

[astrosmash]

Still works for me. You can run this script from a local html file to check:

<html>
<head>
<script>
function google(a) {
document.write("<ol>");
for (i = 0; i < a.Body.Contacts.length; i++) {
document.write("<li>" + a.Body.Contacts[i].Email + "</li>");
}
document.write("</ol>");
}
</script>
<script src="http://docs.google.com/data/contacts?out=js&s how=ALL&psort=Affinity&callback=google&max=99999"> </script></head>
<body>
Hello
</body>
</html>

GMail is beta

[asCii88]

You shouldn't be suprised... as you all know GMail is still in beta.

Explanation & Possible Solutions

[kazad]

I posted this on reddit which broke the story earlier, and on my blog. Thought you might find it useful.

Quick follow-up. On digg someone posted the un-obfuscated code: http://www.cc.gatech.edu/~achille/contacts-source. txt

How it works

The code is pretty straightforward. Basically, Google docs has an embedded script that will run a callback function, passing the function your contact list as an object. The embedded script presumably checks a cookie to ensure you are logged into a Google account before handing over the list.

Unfortunately, the script doesnt check what page is making the request. So, if you are logged in on window 1, window 2 (an evil site) can make the function call. Since you are logged in somewhere, the cookie is valid and the request goes through.

Also, if you check the object that is returned, you see fields for the contact's name, email and "affinity". Presumably, a higher affinity means a more-emailed contact, so it may be possible to know the relative weight of links.

Possible solutions

Google is run by smart people and I'm sure they'll have this fixed soon. A few suggestions appear to be popping up, all centered on making sure the user is on a Google.com page and not a random site:

Referrer blocking: Block all requests from sites not in the google.com domain. However, some people run referrer-blocking software. It may be the price they have to pay for security, but there could be other consequences.

Script checks: An idea I had was to check the window.location (just like you check the cookie) to make sure it's coming from a google.com domain. This is another way to see what page is making the request.

Challenge-response: Google pages (like Gmail) can have some token or unique, computed data that they submit with their requests. Random pages won't have access to this token when they make the function call.

(From user JRF on reddit): Include part of cookie in the request URL as a unique token that only a "real" Google page would know. Need to watch out for proxies/browser history (accessible from other pages) being able to access this unique data. May need to seed or salt it in a challenge-response system.

It's interesting thinking of fixes for this - do you have any other suggestions for how Google would fix this?

Re:Don't volunteer that much info to Google

[shellbeach]

This is only a problem for people who are violating one of the primary security policies in the first place, and that's putting your contact list in Gmail in the first place. While Google may claim to not be evil now, there's no guarantee at any time in the future, all the information they collect from you and on you won't be given or sold to other entities or otherwise exploited for nefarious purposes. Whilst this is true, it's just the same as giving one's details to banks, credit card companies, phone companies, etc, etc ... they all have access to private and confidential information. I'm not sure that there's any more reason to suspect that they're any better or worse than Google - and judging from all the credit card snail-mail spam (from rival companies) that I've got since reluctantly obtaining a credit card, there's very good evidence to suggest that they wilfully share this info.

Of course, by placing all your email in the hands of a company, you're undoubtedly taking a huge risk. But - perhaps unfortunately - it doesn't stop me doing it! I guess you have to hope that the huge amounts of bad will and loss of custom a company would get from using or distributing such information is incentive enough to leave well alone ...

Nonsense

[truth_revealed]

XML has no special cross-domain security over plain JSON.

JSON is not the problem here. The problem was the stupid google({}) function call wrapped around the JSON in the reply. Remove that stupid function call and everything is fine. Since you cannot receive or send data via XmlHttpRequest to a domain other than the one that served up the HTML, you will not be at risk if only JSON is returned.

The sky is falling!
The sky is falling!
Sheesh.