Web sites were able to steal Gmail contact lists

January 2, 2007

http://www.heise-security.co.uk/news/83089

In our article - 'The year 2007: A review through the crystal ball' - heise Security predicted that all e-mail correspondence would soon be publicly accessible. At the moment Gmail users may find that, at least their contact list, already is. Those who open a link in an e-mail in their Gmail inbox risk having the website visited read out all of their Gmail contacts. The surfers only need to be currently registered at Gmail, which is very likely since they have to be reading the e-mail when they click on the link.

heise Security reproduced the results in a short test. The theft is possible because Google always saves the contact list as JavaScript code under the same URL. A website then only needs to include this URL as script and read out the field, as a number of websites already demonstrate. However Google does seem to have reacted to this hole, since the demos, at least, no longer work.

This issue is especially embarrassing for the leading search engine because Jeremiah Grossman wrote about this problem exactly one year ago in his blog and even reported it to Google. Apparently, no one there took his warnings against saving sensitive data as JavaScript, under predictable URL's, seriously.


main page ATTRITION feedback