GMail Vulnerable To Contact List Hijacking

Anonymous Coward writes "By simply logging in to GMail and visiting a website, a malicious website can steal your contact list, and all their details. The problem occurs because Google stores the contact list data in a Javascript file. So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7. IE6 was un-tested as of now."

Which is the problem?

[Zaphod-AVA]

So is this a Firefox, Gmail, or javascript vulnerability?

Re:Which is the problem?

[Stalus]

Works fine in IE6. TFA states "I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three." so I'm not sure where the poster got the idea that it was Firefox only.

Re:Which is the problem?

[Bogtha]

GMail. JSON should not be used for sensitive data because any old website can reference it simply by including it as an external script. The Google developers should not have used JSON for this information, they did, and that is why this information leak exists. There are ways to protect JSON from this (e.g. nonces) but you have to actually add this security yourself, rather than relying on the browser's built-in cross-domain security like you could if you were using XML etc.

Re:Which is the problem?

[buro9]

It's a problem with web services that comes from an assumption that JavaScript cross-domain security is in place.

When you surface data via Xml web services, you can only call the web service on the domain that the JavaScript calling it originates from. So if you write your web services with AJAX in mind exclusively, then you have made the assumption that JavaScript is securing your data.

The problem is created at two points:
1) When you rely on cookies to perform the implicit authentication that reveals the data.
2) When you allow rendering of the data in JSON which bypasses JavaScript cross-domain security.

This can be solved by doing two things:
1) Make one of the parameters to a web service a security token that authenticates the request.
2) Make the security token time-sensitive (a canary) so that a compromised token does not work if sniffed and used later.

The security token should be gathered by authenticating the user according to a mechanism that the user controls. Think of the way that the Flickr API asks you to grant an application access to your data.

Anyhow, use the noscript extension in Firefox to ensure that your data is not compromised, as you will be able to choose to block the script from running, and in doing so prevent others from gaining access to your data.

The Internet Exporer alternative is to disable JavaScript, but few people ever do this because too few sites (especially Web2.0 sites) degrade gracefully when JavaScript is disabled.

Submitter has a problem with Firefox?

[CTho9305]

RTFA:
I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three.

Does the submitter have some agenda against Firefox?

Re:Submitter has a problem with Firefox?

[islanduniverse]

I'm glad I've switched back to IE7!

Re:Submitter has a problem with Firefox?

[Tim+C]

It works fine in my install of FF 2.0.0.1; you have to be logged in to gmail for it to work. Despite what it says in the summary, it also works in IE7 - in fact, it'll work in any browser that

* supports cookies
* supports loading of resources from domains other than the one the currently-loaded page is hosted on
* supports accessing those resources

ie pretty much all (modern) browsers.

Phew!

[sorrill]

We are lucky it was not Microsoft's Hotmail!

Works in most any java-script browser

[wnknisely]

According to the reports on Digg this hack works in all modern browsers. The real fix is probably to stop storing the contact list in a local java-script based file. (Or to always be sure to log out of Google after visiting a google page.)

http://www.digg.com/programming/GMail_Hacked_Visit _ANY_Website_and_Your_Whole_Contact_List_Can_be_St olen

It's an information leak

[MarkByers]

http://docs.google.com/data/contacts?out=js&show=A LL&psort=Affinity&callback=google&max=99999

It can be exploit by writing a callback function in Javascript, that can do anything, and then passing it to the above link, which gives your function all the users contact info.

Re:It's an information leak

[whiteknight31]

Heres the code that the original site used. http://www-static.cc.gatech.edu/~achille/contacts- source.txt

Why do I bother with this site?

[Inda]

Slashdot says:

"So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7"

TFA says:

"I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three."

Got any jobs going? I could do nice armchair job at Slashdot. I'd be willing to work the full 3 hours a week.

Re:Why do I bother with this site?

[Headcase88]

I could do nice armchair job at Slashdot.

Not with that sentence structure. You only made one grammar error. You could never be a /. editor.

Thank goodness

[messner_007]

Thank goodness. I was beginning to think that no one cared about my contacts.

Conceptual problem

[JackHoffman]

Loading script files to exchange data with the server is a very common mechanism. It even has a name: JSON. It wouldn't surprise me to find that there are many more web applications which could be exploited in this way. This isn't a browser vulnerability or a simple bug. It is a design flaw of a widely used communication protocol.

Fixed?

[prestonmcafee]

According to

http://blogs.zdnet.com/Google/?p=434
it is fixed.

Re:How does this work

[dolphinling]

No. Cross-domain xmlhttprequests are blocked by firefox at least, and I'd suspect by other browsers as well. The point is that you don't have to do a cross-domain xmlhttprequest here, since google conveniently stores it in a separate javascript file, and that is embeddable in other pages.

Re:How does this work

[TubeSteak]

Here's the super simple explanation

1. Gmail sets a cookie saying you're logged in
2. A [3rd party] javascript tells you to call Google's script
3. Google checks for the Gmail cookie
4. The cookie is valid
5. Google hands over the requested data to you

If [3rd party] wanted to keep your contact list, the javascript would pass it to a form and your computer would happily upload the list to [3rd party]'s server.

At no point does [3rd party] make any request to Google.

Wow

[Altanar]

C'mon, /. You're reporting this now? It's already been fixed.

Not Fixed

[astrosmash]

Still works for me. You can run this script from a local html file to check:

<html>
<head>
<script>
function google(a) {
document.write("<ol>");
for (i = 0; i < a.Body.Contacts.length; i++) {
document.write("<li>" + a.Body.Contacts[i].Email + "</li>");
}
document.write("</ol>");
}
</script>
<script src="http://docs.google.com/data/contacts?out=js&s how=ALL&psort=Affinity&callback=google&max=99999"> </script></head>
<body>
Hello
</body>
</html>