Slashdot Mirror

← Back to Stories (view on slashdot.org)

GMail Vulnerable To Contact List Hijacking

Posted by Hemos on from the in-special-circumstances dept.

Anonymous Coward writes "By simply logging in to GMail and visiting a website, a malicious website can steal your contact list, and all their details. The problem occurs because Google stores the contact list data in a Javascript file. So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7. IE6 was un-tested as of now."

17 of 139 comments (clear)

  1. Which is the problem? by Zaphod-AVA · · Score: 5, Insightful

    So is this a Firefox, Gmail, or javascript vulnerability?

    1. Re:Which is the problem? by Stalus · · Score: 4, Informative

      Works fine in IE6. TFA states "I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three." so I'm not sure where the poster got the idea that it was Firefox only.

    2. Re:Which is the problem? by Bogtha · · Score: 5, Insightful

      GMail. JSON should not be used for sensitive data because any old website can reference it simply by including it as an external script. The Google developers should not have used JSON for this information, they did, and that is why this information leak exists. There are ways to protect JSON from this (e.g. nonces) but you have to actually add this security yourself, rather than relying on the browser's built-in cross-domain security like you could if you were using XML etc.

      --
      Bogtha Bogtha Bogtha
    3. Re:Which is the problem? by buro9 · · Score: 4, Informative

      It's a problem with web services that comes from an assumption that JavaScript cross-domain security is in place.

      When you surface data via Xml web services, you can only call the web service on the domain that the JavaScript calling it originates from. So if you write your web services with AJAX in mind exclusively, then you have made the assumption that JavaScript is securing your data.

      The problem is created at two points:
      1) When you rely on cookies to perform the implicit authentication that reveals the data.
      2) When you allow rendering of the data in JSON which bypasses JavaScript cross-domain security.

      This can be solved by doing two things:
      1) Make one of the parameters to a web service a security token that authenticates the request.
      2) Make the security token time-sensitive (a canary) so that a compromised token does not work if sniffed and used later.

      The security token should be gathered by authenticating the user according to a mechanism that the user controls. Think of the way that the Flickr API asks you to grant an application access to your data.

      Anyhow, use the noscript extension in Firefox to ensure that your data is not compromised, as you will be able to choose to block the script from running, and in doing so prevent others from gaining access to your data.

      The Internet Exporer alternative is to disable JavaScript, but few people ever do this because too few sites (especially Web2.0 sites) degrade gracefully when JavaScript is disabled.

  2. Submitter has a problem with Firefox? by CTho9305 · · Score: 5, Informative

    RTFA:
    I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three.

    Does the submitter have some agenda against Firefox?

    --
    My server
    1. Re:Submitter has a problem with Firefox? by Tim+C · · Score: 4, Informative

      It works fine in my install of FF 2.0.0.1; you have to be logged in to gmail for it to work. Despite what it says in the summary, it also works in IE7 - in fact, it'll work in any browser that

      * supports cookies
      * supports loading of resources from domains other than the one the currently-loaded page is hosted on
      * supports accessing those resources

      ie pretty much all (modern) browsers.

      --
      It's official. Most of you are morons.
  3. Phew! by sorrill · · Score: 4, Funny

    We are lucky it was not Microsoft's Hotmail!

  4. Works in most any java-script browser by wnknisely · · Score: 4, Insightful
    According to the reports on Digg this hack works in all modern browsers. The real fix is probably to stop storing the contact list in a local java-script based file. (Or to always be sure to log out of Google after visiting a google page.)


    http://www.digg.com/programming/GMail_Hacked_Visit _ANY_Website_and_Your_Whole_Contact_List_Can_be_St olen
    --
    In illa quae ultra sunt
  5. It's an information leak by MarkByers · · Score: 4, Informative

    http://docs.google.com/data/contacts?out=js&show=A LL&psort=Affinity&callback=google&max=99999

    It can be exploit by writing a callback function in Javascript, that can do anything, and then passing it to the above link, which gives your function all the users contact info.

    --
    I'll probably be modded down for this...
  6. Why do I bother with this site? by Inda · · Score: 4, Insightful

    Slashdot says:

    "So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7"

    TFA says:

    "I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three."

    Got any jobs going? I could do nice armchair job at Slashdot. I'd be willing to work the full 3 hours a week.

    --
    This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
    1. Re:Why do I bother with this site? by Headcase88 · · Score: 5, Funny
      I could do nice armchair job at Slashdot.

      Not with that sentence structure. You only made one grammar error. You could never be a /. editor.
      --
      "When the atomic bomb goes off there's devastation...but when the atomic bong goes off there's celebraaaaation!"
  7. Thank goodness by messner_007 · · Score: 4, Funny

    Thank goodness. I was beginning to think that no one cared about my contacts.

  8. Conceptual problem by JackHoffman · · Score: 5, Informative

    Loading script files to exchange data with the server is a very common mechanism. It even has a name: JSON. It wouldn't surprise me to find that there are many more web applications which could be exploited in this way. This isn't a browser vulnerability or a simple bug. It is a design flaw of a widely used communication protocol.

  9. Fixed? by prestonmcafee · · Score: 4, Informative
    According to

    http://blogs.zdnet.com/Google/?p=434
    it is fixed.

  10. Re:How does this work by TubeSteak · · Score: 4, Informative

    Here's the super simple explanation

    1. Gmail sets a cookie saying you're logged in
    2. A [3rd party] javascript tells you to call Google's script
    3. Google checks for the Gmail cookie
    4. The cookie is valid
    5. Google hands over the requested data to you

    If [3rd party] wanted to keep your contact list, the javascript would pass it to a form and your computer would happily upload the list to [3rd party]'s server.

    At no point does [3rd party] make any request to Google.

    --
    [Fuck Beta]
    o0t!
  11. Wow by Altanar · · Score: 4, Informative

    C'mon, /. You're reporting this now? It's already been fixed.

  12. Not Fixed by astrosmash · · Score: 4, Informative

    Still works for me. You can run this script from a local html file to check:

    <html>
    <head>
    <script>
    function google(a) {
    document.write("<ol>");
    for (i = 0; i < a.Body.Contacts.length; i++) {
    document.write("<li>" + a.Body.Contacts[i].Email + "</li>");
    }
    document.write("</ol>");
    }
    </script>
    <script src="http://docs.google.com/data/contacts?out=js&s how=ALL&psort=Affinity&callback=google&max=99999"> </script></head>
    <body>
    Hello
    </body>
    </html>

    --
    ENDUT! HOCH HECH!