9 Comments

Cross site scripting (XSS) Gmail vulnerability

January 1, 2007 by in Privacy,Tech with 9 Comments

According to Tech Reads [via], Gmail users who are currently logged into their accounts who follow a unique URL can expose their entire contacts list (without even knowing).

Using a form of cross scripting, it becomes easy to steal a GMail user’s contact list if they visit a certain type of website. The only condition is you have to be logged in to GMail at the time of the attack. GMail is setup to store your contact list in javascript files, which is the core problem. If you log into your GMail account, and click here [see link below], you’ll see your contact’s details, along with their email.

Thanks to a little cross site scripting (XSS), anyone who visits the following URL below can view their entire contacts list outside of Gmail. Image the implications of such a privacy hole if email harvesters created a site which exploited such a hole for profit?

http://googlified.com.googlepages.com/contactlist.htm

I’ve tested the the above URL on a few dummy accounts in Safari, Opera, Firefox, and IE6/7 and the script does indeed display contact email addresses (if previously logged into Gmail).

UPDATE: Long time friend of the site Ferny B has modified the script to work again (We have mirrored a copy of the script here)


  • Eddie

    I just tried your link in Firefox 2.0 and got the following message:

    “Causing too much trouble already… I am sorry if it causes any inconvenience to you, or make you feeling the insecure of Google.”

    Guess it doesn’t work anymore?

  • JJ

    Like they say, Gmail is still at beta stage…

    I read about it in Slashdot, but didnt test it. But I suppose Firefox plugin NoScript prevents real malicious sites gathering this information?

  • carney1979

    Hmmm…I tried logging onto Gmail on one tab in Firefox and then opening the URL “http://googlified.com.googlepages.com/contactlist.htm” in a new tab while still logged onto Gmail on the first tab and all I got was “Causing too much trouble already… I am sorry if it causes any inconvenience to you, or make you feeling the insecure of Google.”.

    Because I stay logged onto Gmail with Firefox, I tried visiting the same link with no extra tabs open and got the same as in the first example.

    Did Gmail fix this already?

    David

  • http://fernyb.net FernyB

    I modified the script. I saw this story digg. Here are the files if anyone wants them, Oh yeah I modified it so that it can log the emails too. http://fernyb.net/ur.gmail.contacts-PHPAjax.zip
    Although try it out on your local machine. It works.

  • http://paulstamatiou.com Paul Stamatiou

    @FERNYB, doesn’t work on my dev server.. perhaps gmail fixed it? Or is this a firefox only thing, I’m in Safari.

  • http://fernyb.net FernyB

    Well it used to work. So I guess the folks over at google fixed it. hurray its fixed.

  • http://is.derekpunsalan.com Derek

    Google definitely plugged this one. Paul, I tested the hole in Safari when the topic was posted and it worked (signed in through Gmail Notifier).

  • chad

    @JJ

    Beta for what… 3 years now? lol

    I think they are officially in Beta.Beta.Alpha at this point ;)

  • Vinicius K-Max

    still works :D

Privacy Policy | About Us | Contact Us | Write for us