There is currently a serious flaw in how the Google Services manages your Gmail contacts list. By simply visiting any website you might unknowingly surrender everyone in your contact list…including their name, email address, and the avatar that they use.
If you want to see your contact list retrieved without taking any risks just click on this link which is on the Google server. If you look closely in that JavaScript file you’ll notice that all of your contacts are inserted through it. Now if you decide that you want to take it a step further go ahead and visit this site [warning: it is an external site]. I looked through the source code on that page and didn’t see anything malicious but the screenshot that I took essentially shows you what would happen. It retrieves that name and email address of everyone in your contact list along with any avatars that they have associated with their accounts.
Google has this feature so that users can easily send documents to anyone on their contact list but with the way it is currently setup, it can exploited. The script that most people are referring to is on the Google Docs server but it is also available on the Google Notebook server, Google Groups server, and I’m sure there are many others.
What’s even more interesting is that Google is reporting that the flaw is fixed, but visiting the external site mentioned above proves that it is very much alive. So what did they mean when they said it was fixed? Well, they fixed the problem on the Google Video server (redirects to a 404 error page), but apparently they didn’t realize that they same system was used for nearly all of their services.
Ironically, news of this security flaw comes just one week after 60 Gmail users found out that they lost all emails and contacts listed in their account. I’m sure Google is having a tough time trying to complete projects and tend to all of these problems at the same time.
| Update: |
Google appears to be in the process of fixing the links because the Google Docs one no longer works (which means the external site that I took a screenshot of doesn’t work either). Clicking on the links to the Google Notebook or Google Groups server still works fine though.
|
News Source: Tech Reads
Enjoyed the post? Subscribe to our feed to get a daily dose of CyberNet!
Tags: Google
Related Posts:
- When will Gmail Storage Counter Stop Again? I know!
- Another Google Security Flaw Found
- Google Security Woes Continue
- Helpful Tip: Gmail Contact Groups
- Gmail Finally Stops Adding Contacts Automatically
This shows everything associated with a contact, phone numbers, addresses, etc.
I have heard that for this to be exploited, you have to have one of your Google resources (Gmail, Calendar, etc.) running while you are browsing the web. If you hit a website that is exploiting this with one of those other resources open, then the exploit will work and your contact information will be taken.
I guess I need to get into the habit of closing Gmail when I am browsing the web as I normally leave it open.
It works fine for me without having any of the things open…except I have Google Talk but I wouldn’t think that an application could affect it.
You just have to be logged in to a Gmail service on your browser.
I didn’t worry about clicking that link, as it’s my contacts that would have been spammed
I must agree with OldManDeath’s suggestion.
Since I have come to depend a great deal on the Google resources…and have been a bit paranoid about an exploit like that occurring…I have always been in the habit of fully logging out of any Google/Blogger/Gmail/etc. resource when I am done.
In fact, I do that anyway for just about all the “medium security” sites when I browse except for just a handful of “low-security” forum sites that I just generally stay logged into at all times. “High-security” sites (related to on-line banking activities) always get a new browser window…login…perform the activity…logout…delete cache/forms…close browser..then reopen a fresh browser session for regular web surfing again. Do others to that as well?
It’s not quite as convenient, but (I hope) more secure.
Then again, now that tabbed browsing is pretty common in FF and IE7, I guess I have to be that much more careful that opening any additional site-pages while I am signed in to my Google accounts.
I haven’t gone to those extremes but I have to admit that it’s a good idea. I may have to start doing things like that as well.
Not ironic…more like insult to injury.