There is currently a serious flaw in how the Google Services manages your Gmail contacts list. By simply visiting any website you might unknowingly surrender everyone in your contact list…including their name, email address, and the avatar that they use.
Google has this feature so that users can easily send documents to anyone on their contact list but with the way it is currently setup, it can exploited. The script that most people are referring to is on the Google Docs server but it is also available on the Google Notebook server, Google Groups server, and I’m sure there are many others.
What’s even more interesting is that Google is reporting that the flaw is fixed, but visiting the external site mentioned above proves that it is very much alive. So what did they mean when they said it was fixed? Well, they fixed the problem on the Google Video server (redirects to a 404 error page), but apparently they didn’t realize that they same system was used for nearly all of their services.
Ironically, news of this security flaw comes just one week after 60 Gmail users found out that they lost all emails and contacts listed in their account. I’m sure Google is having a tough time trying to complete projects and tend to all of these problems at the same time.
Google appears to be in the process of fixing the links because the Google Docs one no longer works (which means the external site that I took a screenshot of doesn’t work either). Clicking on the links to the Google Notebook or Google Groups server still works fine though.
News Source: Tech Reads