What is Digg?12 Comments
- bigredgpk, on 10/12/2007, -0/+6Why? Did you burn them?
- kuza55, on 10/12/2007, -0/+6First of all, VERY nice find! (there have been similar things, like this: http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html , but nothing quite as clean and cool, :D)
It uses a flaw that google puts user details into a js file, which the website parses, to see what i mean, log into Gmail, go here: http://docs.google.com/data/contacts?out=js&show=ALL&psort=Affinity&callback=google&max=99999 and it should be fairly self explanatory.
Gah, I can't post the decoded source, but I can upload it to pastebin: http://pastebin.com/848808 - headzoo, on 10/12/2007, -1/+6I like how the author (Haochi) says Google was contacted this morning, and half an hour ago. Geez.. how about giving the Google folks some time to look at the situation.
I guess it's more important to be a l33t hacker, and show off, then give the Google folks ample notice. Most people wouldn't pull a stunt like this until it's obvious the company being contacted is simply ignoring your warnings. - haochi, on 10/12/2007, -0/+5Well, I am not suppose to comment in my own post, It has, hmm, not really anything to do with your cookies, well, of course, you will have to be logged into Gmail. *Edited: Oops, forgot to use the reply feature. My bad. :(*
- kuza55, on 10/12/2007, -0/+3Not really, for almost every google service, be it Gmail, Blogger, Orkut or Analytics, if you're logged into one of them, you're logged into all of them (The only exception I know of is Adsense, but that makes sense since its financially important and must be segregated), and what if you get sent a link in an email (maybe I should write that mass mailing worm I thought of.....), then you're already logged in. Sure you shouldn't click on untrusted links either, but if its from someone you know.....
And anyways, I keep Gmail open, so I can quickly check if I got any new emails by keeping it open in my leftmost tab and seeing if the number of unread emails in my inbox has chnaged, and since I use GMail to aggregate data from all the forums, etc, I'm part of it saves me having to go to every site I'm getting emails from manually. - lhnz, on 10/12/2007, -1/+3I think you would want props for finding the exploit had you done so.
- ers35, on 10/12/2007, -2/+4My guess is that it has something to do with my cookies.
- fozzie, on 10/12/2007, -2/+1That is why I use NoScript, my favorite Firefox plugin.
- algoseek, on 10/12/2007, -1/+0I didn't expect to get such a new year surprise from them. It is a shame.
- 1911wolf, on 10/12/2007, -5/+3So, the solution is to logout of your GMail session? Shouldn't you already be doing that? Maybe I'm in the minority here since I don't leave any web site session logged in.
- inactive, on 10/12/2007, -4/+2//Happy New Year, Diggers and Googlers. :)
//Note: this chunk of junk doesn't store your contact lists,
//just some random code of mine, and you are not getting a
//prize for decoding it, although its New Year. ;)- - ers35, on 10/12/2007, -5/+1Ah, so it "attacks" Google directly then, using my logged in session? I'll stop questioning now.
It identified my email incorrectly as well. Mine was fourth on the list instead of first.
© Digg Inc. 2009
— Content created and posted by Digg users is