digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

Gmail Bug: Your Gmail Contact List is Being Expose to Spammers

googlified.com.googlepages.com — A recent discovered bug in Gmail can expose your email address and your contact list to spammers.

Bury
show profanity settings
expand all
  • ers35, on 10/12/2007, -2/+4My guess is that it has something to do with my cookies.
  • haochi, on 10/12/2007, -0/+5Well, I am not suppose to comment in my own post, It has, hmm, not really anything to do with your cookies, well, of course, you will have to be logged into Gmail. *Edited: Oops, forgot to use the reply feature. My bad. :(*
    • ers35, on 10/12/2007, -5/+1Ah, so it "attacks" Google directly then, using my logged in session? I'll stop questioning now.

      It identified my email incorrectly as well. Mine was fourth on the list instead of first.
  • kuza55, on 10/12/2007, -0/+6First of all, VERY nice find! (there have been similar things, like this: http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html , but nothing quite as clean and cool, :D)

    It uses a flaw that google puts user details into a js file, which the website parses, to see what i mean, log into Gmail, go here: http://docs.google.com/data/contacts?out=js&show=ALL&psort=Affinity&callback=google&max=99999 and it should be fairly self explanatory.

    Gah, I can't post the decoded source, but I can upload it to pastebin: http://pastebin.com/848808
  • HaxityHaxHaxed, on 10/12/2007, -4/+2//Happy New Year, Diggers and Googlers. :)
    //Note: this chunk of junk doesn't store your contact lists,
    //just some random code of mine, and you are not getting a
    //prize for decoding it, although its New Year. ;)-
  • headzoo, on 10/12/2007, -1/+6I like how the author (Haochi) says Google was contacted this morning, and half an hour ago. Geez.. how about giving the Google folks some time to look at the situation.
    I guess it's more important to be a l33t hacker, and show off, then give the Google folks ample notice. Most people wouldn't pull a stunt like this until it's obvious the company being contacted is simply ignoring your warnings.
    • lhnz, on 10/12/2007, -1/+3I think you would want props for finding the exploit had you done so.
  • 1911wolf, on 10/12/2007, -5/+3So, the solution is to logout of your GMail session? Shouldn't you already be doing that? Maybe I'm in the minority here since I don't leave any web site session logged in.
  • kuza55, on 10/12/2007, -0/+3Not really, for almost every google service, be it Gmail, Blogger, Orkut or Analytics, if you're logged into one of them, you're logged into all of them (The only exception I know of is Adsense, but that makes sense since its financially important and must be segregated), and what if you get sent a link in an email (maybe I should write that mass mailing worm I thought of.....), then you're already logged in. Sure you shouldn't click on untrusted links either, but if its from someone you know.....

    And anyways, I keep Gmail open, so I can quickly check if I got any new emails by keeping it open in my leftmost tab and seeing if the number of unread emails in my inbox has chnaged, and since I use GMail to aggregate data from all the forums, etc, I'm part of it saves me having to go to every site I'm getting emails from manually.
  • algoseek, on 10/12/2007, -1/+0I didn't expect to get such a new year surprise from them. It is a shame.
  • fozzie, on 10/12/2007, -2/+1That is why I use NoScript, my favorite Firefox plugin.
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.