Gmail Contact List There is currently a serious flaw in how the Google Services manages your Gmail contacts list. By simply visiting any website you might unknowingly surrender everyone in your contact list…including their name, email address, and the avatar that they use.




If you want to see your contact list retrieved without taking any risks just click on this link which is on the Google server. If you look closely in that JavaScript file you’ll notice that all of your contacts are inserted through it. Now if you decide that you want to take it a step further go ahead and visit this site [warning: it is an external site]. I looked through the source code on that page and didn’t see anything malicious but the screenshot that I took essentially shows you what would happen. It retrieves that name and email address of everyone in your contact list along with any avatars that they have associated with their accounts.

Google has this feature so that users can easily send documents to anyone on their contact list but with the way it is currently setup, it can exploited. The script that most people are referring to is on the Google Docs server but it is also available on the Google Notebook server, Google Groups server, and I’m sure there are many others.

What’s even more interesting is that Google is reporting that the flaw is fixed, but visiting the external site mentioned above proves that it is very much alive. So what did they mean when they said it was fixed? Well, they fixed the problem on the Google Video server (redirects to a 404 error page), but apparently they didn’t realize that they same system was used for nearly all of their services.

Ironically, news of this security flaw comes just one week after 60 Gmail users found out that they lost all emails and contacts listed in their account. I’m sure Google is having a tough time trying to complete projects and tend to all of these problems at the same time.

Update:
Google appears to be in the process of fixing the links because the Google Docs one no longer works (which means the external site that I took a screenshot of doesn’t work either). Clicking on the links to the Google Notebook or Google Groups server still works fine though.

News Source: Tech Reads