Google Fixes Contact List Flaw
The flaw in Google’s webapps that affected Gmail (aka Google Mail in UK and Germany for legal reasons) appears to have been fixed by Google. The JavaScript page that used to list your contacts now returns the following empty list:
google ({
Success: false,
Errors: []
})
This means that the problem reported yesterday is no longer an issue. However, this demonstrates the importance of security in web applications is just as important as security in the browser.
As Slashdot still didn’t update their article, despite numerous comments, I will stress again that this is not a Firefox issue. It is a bug in the site and therefore will show in all browsers.
UPDATE: it seems although that particular issue has been fixed it’s still possible to access the contact list as an XML file, it’ll take a bit more coding for people to steal your contact list but may still be relatively easy. I will keep this site updated with any further news. But for the moment follow the advice in my previous post.
UPDATE 2: it appears that the contact list being accessible via an XML file is not a security risk as standard browser security should not allow JavaScript hosted on one site to process XML from a different domain. Therefore I was not able to create any steps to exploit this and there appears nothing out there in the wild either. Therefore I’m changing the title of this article back to ‘Google Fixes Contact List Flaw’. I thought it was best to err on the side of caution until I could verify if the problem was fixed.
January 2nd, 2007 at 2:24 pm
It seems fairly incompetent of Google to only partially fix this. The URL that generates this XML is the same as the one that did generate that JavaScript but with different parameters passed to it. This seems so unlike Google who usually hire some of the best engineering talent.
January 2nd, 2007 at 3:15 pm
Why hasn’t this security flaw received more press coverage? Surf the net while logged in to Google and give your entire contact list to every web site (and its advertisers!) you visit. It’s appalling.
How many other web services have this problem? Are Yahoo Mail users vulnerable to a similar attack?
Will Google let anyone know when they have put in place a REAL fix for this problem? I went through their help pages yesterday and submitted a request that they announce when they’ve fixed the problem. I doubt anyone will ever hear from them. Their arrogance is extraordinary and may ultimately bring them down.
January 2nd, 2007 at 7:15 pm
[…] Some are reporting that Google has already responded with a fix to this issue. It sounds like they’ve reacted pretty quickly and put in a simple fix that will prevent most of the damage. Others have pointed out that there are still vulnerabilities in GMail that can be exploited by malicious hacks. […]