The Browser Den

There appears to be a cross site scripting vulnerability with Gmail that affects IE, Firefox and Opera. It’s to do with the way Gmail stores the contact list when you’re logged in. The website that supposedly demonstrates the vulnerability is currently down stating ‘Causing too much trouble already… I am sorry if it causes any inconvenience to you, or make you feeling the insecure of Google.‘ I will see if I can find out more about this within the next few hours.

UPDATE: I’ve checked and this vulnerability does affect all browsers on my system with JavaScript enabled. That’s because the bug is not with the browser, it’s just some badly designed coding from Google. The problem is caused by the fact that the contacts are stored as a plain JavaScript file and this file can be included in a HTML file and manipulated. This functionality has legitimate uses - Google Analytics and Adsense both load external JavaScript files from Googles servers, so browsers shouldn’t remove this functionality, in this instance it’s up to the application developers to consider security in their design.

Slashdot, as usual, have put up a story about this without reading the linked to article. According to Slashdot only Firefox is affected which is not true as it’s a webapp issue not a browser issue.

If you trust this site you can see an example of this vulnerability here. If you don’t trust this site then make sure you’re logged out of Gmail before visiting the page - you will see nothing in this case but selecting ‘view source’ will show you how easy accessing this data is.

This entry was posted on Monday, January 1st, 2007 at 3:16 pm and is filed under Security, Webapps. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.