GMail Vulnerable To Contact List Hijacking

Anonymous Coward writes "By simply logging in to GMail and visiting a website, a malicious website can steal your contact list, and all their details. The problem occurs because Google stores the contact list data in a Javascript file. So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7. IE6 was un-tested as of now."

Which is the problem?

[Zaphod-AVA]

So is this a Firefox, Gmail, or javascript vulnerability?

Re:Which is the problem?

[Bogtha]

GMail. JSON should not be used for sensitive data because any old website can reference it simply by including it as an external script. The Google developers should not have used JSON for this information, they did, and that is why this information leak exists. There are ways to protect JSON from this (e.g. nonces) but you have to actually add this security yourself, rather than relying on the browser's built-in cross-domain security like you could if you were using XML etc.

Submitter has a problem with Firefox?

[CTho9305]

RTFA:
I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three.

Does the submitter have some agenda against Firefox?

Conceptual problem

[JackHoffman]

Loading script files to exchange data with the server is a very common mechanism. It even has a name: JSON. It wouldn't surprise me to find that there are many more web applications which could be exploited in this way. This isn't a browser vulnerability or a simple bug. It is a design flaw of a widely used communication protocol.

Re:Why do I bother with this site?

[Headcase88]

I could do nice armchair job at Slashdot.

Not with that sentence structure. You only made one grammar error. You could never be a /. editor.