Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

GMail Vulnerable To Contact List Hijacking

Hemos posted more than 7 years ago | from the in-special-circumstances dept.

Security 139

Anonymous Coward writes "By simply logging in to GMail and visiting a website, a malicious website can steal your contact list, and all their details. The problem occurs because Google stores the contact list data in a Javascript file. So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7. IE6 was un-tested as of now."

Sorry! There are no comments related to the filter you selected.

Which is the problem? (5, Insightful)

Zaphod-AVA (471116) | more than 7 years ago | (#17422002)

So is this a Firefox, Gmail, or javascript vulnerability?

Re:Which is the problem? (4, Informative)

Stalus (646102) | more than 7 years ago | (#17422044)

Works fine in IE6. TFA states "I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three." so I'm not sure where the poster got the idea that it was Firefox only.

Re:Which is the problem? (0, Troll)

klept (895849) | more than 7 years ago | (#17424586)

To Stalus or anyone else on Slashdot. I have a couple of questions that I would deeply appreciate if they could be answered. Ok this latest hack on gmail. Is it only your contact list that they recieve. Is nothing else hacked into like your inbox, messeges sent, etc? If so, I will be lmaf. Many of my contacts are programmers, and they will not take this spam hack lying down. If anyone can track these bozos they will, and they know how to retaliate lol. Second, an earlier story had about 60 gmail account files completely deleted. Is this part of the same hack or problem? Or is it a seperate incident and as Google claimed a glitch that has been fixed? Perhaps when they corrected the "glitch" they created a "issue", like a vulnerability that caused this contact hack? Any enlightnment would be greatly appreciated. Thank you.

Re:Which is the problem? (2, Funny)

Anonymous Coward | more than 7 years ago | (#17425932)

Uhhh... you should be thanking these "bozos" for releasing the exploit so it can be fixed, tough-programmer-guy. If your programmer friends are such l337 d00ds then maybe they'd find and fix some of these exploits themselves, instead of being blindly vulnerable until some "bozos" save their ass. BTW, what does being a programmer have to do with being able to "retaliate" against some obviously much smarter programmers? Gonna send them some code? Gonna do a double compile on their bitch asses?

Why dont you ask your l337 h@X0r buddies to just look at the code. Then you'd see how the vulnerability works, and what information it can retrieve. Though I dont know if the code will look right when they try to open it in VB.

It's an information leak (4, Informative)

MarkByers (770551) | more than 7 years ago | (#17422072)

http://docs.google.com/data/contacts?out=js&show=A LL&psort=Affinity&callback=google&max=99999 [google.com]

It can be exploit by writing a callback function in Javascript, that can do anything, and then passing it to the above link, which gives your function all the users contact info.

Re:Which is the problem? (1)

WinKing (1043446) | more than 7 years ago | (#17422276)

If there is no problem for other browsers then obviously, there is something that FF needs to look into the thing.
Now a days after releasing of FF I have heard lots of issues in between GG and FF. You may have seen the latest update for firefox 2.0 for the fixing of gMail. Wondering what could be the reasons.

Re:Which is the problem? (5, Insightful)

Bogtha (906264) | more than 7 years ago | (#17422884)

GMail. JSON should not be used for sensitive data because any old website can reference it simply by including it as an external script. The Google developers should not have used JSON for this information, they did, and that is why this information leak exists. There are ways to protect JSON from this (e.g. nonces) but you have to actually add this security yourself, rather than relying on the browser's built-in cross-domain security like you could if you were using XML etc.

Re:Which is the problem? (4, Informative)

buro9 (633210) | more than 7 years ago | (#17423374)

It's a problem with web services that comes from an assumption that JavaScript cross-domain security is in place.

When you surface data via Xml web services, you can only call the web service on the domain that the JavaScript calling it originates from. So if you write your web services with AJAX in mind exclusively, then you have made the assumption that JavaScript is securing your data.

The problem is created at two points:
1) When you rely on cookies to perform the implicit authentication that reveals the data.
2) When you allow rendering of the data in JSON which bypasses JavaScript cross-domain security.

This can be solved by doing two things:
1) Make one of the parameters to a web service a security token that authenticates the request.
2) Make the security token time-sensitive (a canary) so that a compromised token does not work if sniffed and used later.

The security token should be gathered by authenticating the user according to a mechanism that the user controls. Think of the way that the Flickr API asks you to grant an application access to your data.

Anyhow, use the noscript extension in Firefox to ensure that your data is not compromised, as you will be able to choose to block the script from running, and in doing so prevent others from gaining access to your data.

The Internet Exporer alternative is to disable JavaScript, but few people ever do this because too few sites (especially Web2.0 sites) degrade gracefully when JavaScript is disabled.

Re:Which is the problem? (1)

appavi (679094) | more than 7 years ago | (#17425664)

Even with JSON it is possible to prevent these type of leaks. For the requests that contains sensitive data, send data only if the HTTP request method is POST. If it is GET, then simply give a 403. Third party websites can get javascript file/data from Google only through GET(using script tags, not with XMLHttpRequest). They can't make POST request because they will be prevented by same domain policy. Google applications can retrieve the data through POST method using XMLHttpRequest because they will be in the same domain.

damn... (-1)

Anonymous Coward | more than 7 years ago | (#17422008)

Works as advertised, unfortunately.

Submitter has a problem with Firefox? (5, Informative)

CTho9305 (264265) | more than 7 years ago | (#17422014)

RTFA:
I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three.

Does the submitter have some agenda against Firefox?

Re:Submitter has a problem with Firefox? (1)

davidmcg (796487) | more than 7 years ago | (#17422050)

Indeed the current article is a bit light on details but it does say it affects the three main browsers - time to expect the barrage of "I'm glad to have switched back to IE7" posts from others that have not RTFA.

The link to test out the vulnerability seems to be down.

Re:Submitter has a problem with Firefox? (3, Funny)

islanduniverse (925110) | more than 7 years ago | (#17422332)

I'm glad I've switched back to IE7!

Re:Submitter has a problem with Firefox? (-1, Offtopic)

Axe (11122) | more than 7 years ago | (#17424324)

I am glad that I am using IE7. Killer feature that made me switch is a much nicer zoom for pages, compared to FIrefox, which heps on my 1900x1200 laptop screen on some sites where developers insisted on adding flash content sized for a 800x600 screen... IE7 tabs are also a bit nicer and interface is less cluttered then Firefox. That is my opinion and I do not care about yours.

Re:Submitter has a problem with Firefox? (1)

infradead (411971) | more than 7 years ago | (#17422218)

Didn't work on Firefox when I tried it earlier today. Move along please ...

Re:Submitter has a problem with Firefox? (4, Informative)

Tim C (15259) | more than 7 years ago | (#17422504)

It works fine in my install of FF 2.0.0.1; you have to be logged in to gmail for it to work. Despite what it says in the summary, it also works in IE7 - in fact, it'll work in any browser that

* supports cookies
* supports loading of resources from domains other than the one the currently-loaded page is hosted on
* supports accessing those resources

ie pretty much all (modern) browsers.

Re:Submitter has a problem with Firefox? (1)

thegamerformelyknown (868463) | more than 7 years ago | (#17425352)

Oddly enough, it isn't working for me in Opera 9.10 in Linux, despite being logged in, and Opera (AFAIK) matches that criteria...

Re:Submitter has a problem with Firefox? (1)

MattPat (852615) | more than 7 years ago | (#17423664)

To give the submitter the benefit of the doubt, perhaps he or she read the article as it only works on the third one.

Or, the submitter works for Microsoft and is therefore required to make IE look spotless, lest a chair come sailing from the other end of the room.

Re:Submitter has a problem with Firefox? (1, Funny)

MobileTatsu-NJG (946591) | more than 7 years ago | (#17423854)

"Does the submitter have some agenda against Firefox?"

Nah, it was just a gag to get ppl to RTFA.

Re:Submitter has a problem with Firefox? (0)

Anonymous Coward | more than 7 years ago | (#17425332)

>Does the submitter have some agenda against Firefox?

Nah. More likely:

1. He wanted to see if the /. editors were paying attention. (Hahahahahaha... ahh. Yeah, like that needed testing.)

2. He wanted to make sure his submission was sensational enough for acceptance by /..

Phew! (4, Funny)

sorrill (968643) | more than 7 years ago | (#17422028)

We are lucky it was not Microsoft's Hotmail!

phew! - doesn't spell relief for the mainstream (1)

doppiodave (911019) | more than 7 years ago | (#17422876)

"We are lucky it was not Microsoft's Hotmail!"

i'm always happy to tell the tale of MS's FTC privacy bust in 2002. but there's a not so funny side to software vulnerabilities for the millions of poor slobs who aren't reading this thread, or any like it. i don't think the /. hardcore fully appreciate how skittish end-users have become about this stuff, esp since they can't tell fact from rumor, or javascript from egg nog (well, neither can i). step back and think about how the poor unwashed masses will feel when stories start circulating about some deadly hole, crack or loose gear in gmail.

the good news is that awareness and suspicion levels about software have gone way up in the last 18 months. the bad news is that skill and effort levels for dealing with this shit haven't gone anywhere. i get my read from the 3rd and 4th year undergrads i teach. smart as they may be, most are just beginning to sense that working on redmond's software may have a downside. the students in question were stunned recently when attachments created in Word were banned until further notice.

so what's the bottom line here? has google been getting too much whitewash? is the problem solved? should people be falling all over themselves to revive their hotmail accounts? can non-geeks ever find a realistic way to manage their software expectations?

disclaimer: we're doing several weeks this term on google. then vista's drm nightmare. i am not, however, prepared to disclose how many gmail invitations i sent out in 2006.

Makes me glad I switched back to IE7 (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17422030)

Firefox has become a bloated mess, the developers are incompetent and the open source model has been proven inefficient and insecure.

Get it here: http://www.microsoft.com/windows/ie/ [microsoft.com]

Re:Makes me glad I switched back to IE7 (0, Redundant)

whiteknight31 (744465) | more than 7 years ago | (#17422056)

The article mentions that this affects IE and Opera as well as Firefox....

Re:Makes me glad I switched back to IE7 (0, Redundant)

blueCommand (990998) | more than 7 years ago | (#17422304)

That's funny. I can't seem to find the download link for Linux?

Works in most any java-script browser (4, Insightful)

wnknisely (51017) | more than 7 years ago | (#17422048)

According to the reports on Digg this hack works in all modern browsers. The real fix is probably to stop storing the contact list in a local java-script based file. (Or to always be sure to log out of Google after visiting a google page.)


http://www.digg.com/programming/GMail_Hacked_Visit _ANY_Website_and_Your_Whole_Contact_List_Can_be_St olen [digg.com]

How does this work (1)

goombah99 (560566) | more than 7 years ago | (#17422094)

How can one page get access to another page's data? Javascript or not? Aren't pages that don't have a parent child hierarchy supposed to have no way to communicate (aside from same site cookies)? How does this work

Re:How does this work (1)

bberens (965711) | more than 7 years ago | (#17422370)

I suspect it works like the following:

Google places a cookie on your browser which indicates you have authenticated to Google. The afflicted website makes the same exact ajax call Gmail does in order to download the contact information. Since your browser holds the appropriate cookie, Google happily obliges and hands your contacts information over to your browser. Google.com has no way of knowing that it was javascript from another site which initiated the request, the request is coming from your browser's xmlhttp object, just like every other ajax request. The exciting part is that this exploit should work for any website, not just Gmail. It's always important to click 'log out' or close your browser when leaving sites you've authenticated to. Especially sites with personal information like webmail, banks, etc.

Re:How does this work (3, Informative)

dolphinling (720774) | more than 7 years ago | (#17422424)

No. Cross-domain xmlhttprequests are blocked by firefox at least, and I'd suspect by other browsers as well. The point is that you don't have to do a cross-domain xmlhttprequest here, since google conveniently stores it in a separate javascript file, and that is embeddable in other pages.

Re:How does this work (4, Informative)

TubeSteak (669689) | more than 7 years ago | (#17422472)

Here's the super simple explanation

1. Gmail sets a cookie saying you're logged in
2. A [3rd party] javascript tells you to call Google's script
3. Google checks for the Gmail cookie
4. The cookie is valid
5. Google hands over the requested data to you

If [3rd party] wanted to keep your contact list, the javascript would pass it to a form and your computer would happily upload the list to [3rd party]'s server.

At no point does [3rd party] make any request to Google.

Re:Works in most any java-script browser (2, Insightful)

Elentari (1037226) | more than 7 years ago | (#17422106)

Hopefully, one main difference between Digg and Slashdot is that the users here won't go and deliberately click the URL to watch their own account get hacked.

Re:Works in most any java-script browser (2, Funny)

thopkins (70408) | more than 7 years ago | (#17425044)

Most users on Slashdot won't click any links, especially links for the articles on which they are about to comment. ;)

Re:Works in most any java-script browser (2, Informative)

MarkByers (770551) | more than 7 years ago | (#17422120)

Actually it is not stored locally in Javascript. I assume that the information is stored in some sort of filesystem / database and converted to Javascript on the fly to ease integration with other applications. You can also get the same information as XML if you prefer:

http://docs.google.com/data/contacts [google.com]

Re:Works in most any java-script browser (1)

Phil246 (803464) | more than 7 years ago | (#17422130)

Hrm, since the source requests the js file from googles servers, shouldnt it be possible to check the referrer to make sure its a google page?

Re:Works in most any java-script browser (1)

Sancho (17056) | more than 7 years ago | (#17422610)

That's trusting the client to send correct data. It's laughably easy to spoof the referrer.

it ought to be fine (1)

r00t (33219) | more than 7 years ago | (#17422834)

Sure, I can hack the referrer to get into my own gmail account. Wooo, scary!

My browser should not grant this ability to random javascript it finds on the web.

Re:it ought to be fine (1, Informative)

Anonymous Coward | more than 7 years ago | (#17423078)

My browser should not grant this ability to random javascript it finds on the web.

Why not? You're underestimating both how simple it is to spoof a referrer, and how stupid it is to use the referrer for security purposes.

nope (1)

r00t (33219) | more than 7 years ago | (#17424322)

I spoof the referrer all the time, using the "wget" command. That does no good for attacking gmail though, because how am I to get the required cookie?

The spoof would have to work from Javascript or Java, creating connections on behalf of the user. Merely opening a TCP/IP socket won't do, because you'd not be able to shove the cookie down the wire.

Why do I bother with this site? (4, Insightful)

Inda (580031) | more than 7 years ago | (#17422084)

Slashdot says:

"So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7"

TFA says:

"I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three."

Got any jobs going? I could do nice armchair job at Slashdot. I'd be willing to work the full 3 hours a week.

Re:Why do I bother with this site? (5, Funny)

Headcase88 (828620) | more than 7 years ago | (#17422154)

I could do nice armchair job at Slashdot.

Not with that sentence structure. You only made one grammar error. You could never be a /. editor.

Speaking of grammar errors... (1)

Artifice_Eternity (306661) | more than 7 years ago | (#17423548)

"By simply logging in to GMail and visiting a website, a malicious website can steal your contact list, and all their details. ..."

In other words, the submitter says that when a malicious website logs into Gmail and visits a website, it can steal my contact list.

Someone needs to learn how to use dependent clauses. The subject of the sentence above is a malicious website, and that's who is being described in the dependent clause as logging into Gmail and visiting a website.

Re:Why do I bother with this site? (1)

jZnat (793348) | more than 7 years ago | (#17422712)

Don't worry, they'll get the story straight in the dupe.

Re:Why do I bother with this site? (1)

Luminous (192747) | more than 7 years ago | (#17424056)

Well, then, why DO you bother with this site?

Thank goodness (4, Funny)

messner_007 (1042060) | more than 7 years ago | (#17422108)

Thank goodness. I was beginning to think that no one cared about my contacts.

Re:Thank goodness (0)

Anonymous Coward | more than 7 years ago | (#17425856)

Damn, now everybody must know about my monthly chat sessions with Jaleel White on plotlines Sonic the Hedgehog should've taken but didn't.

Oh, it only steals e-mail addys? Crap.
Sorry J.

Conceptual problem (5, Informative)

JackHoffman (1033824) | more than 7 years ago | (#17422148)

Loading script files to exchange data with the server is a very common mechanism. It even has a name: JSON. It wouldn't surprise me to find that there are many more web applications which could be exploited in this way. This isn't a browser vulnerability or a simple bug. It is a design flaw of a widely used communication protocol.

Re:Conceptual problem (1)

sbben (983577) | more than 7 years ago | (#17422490)

It is a design flaw of a widely used communication protocol.
Hey, this sounds familiar. SQL injection anyone?

Re:Conceptual problem (1)

TubeSteak (669689) | more than 7 years ago | (#17422556)

This isn't a browser vulnerability or a simple bug. It is a design flaw of a widely used communication protocol.
How do you fix it?

From what I understand, as long as the user has a valid cookie, the information is fair game... and I imagine that there are implementations that do not even bother with a cookie.

Maybe the question is: Can it be fixed?

Re:Conceptual problem (0)

Anonymous Coward | more than 7 years ago | (#17422772)

Maybe the question is: Can it be fixed?

Probably something along the lines of requiring a key to access the contact list.

per-site fix is obvious (2, Informative)

r00t (33219) | more than 7 years ago | (#17422882)

Lots of ways:

a. Place a 128-bit random number (UUID/GUID) into the URL for the contacts info.

b. Check the referrer. (foreign javascript should not be able to forge this)

c. Place an encrypted copy of the cookie into the URL of the contacts info.

d. Embed the contacts info in the page instead.

D is an AJAX candidate (0)

Anonymous Coward | more than 7 years ago | (#17423268)

You forgot AJAX: Store the contacts on the server as an XML resource and let the browser cache the XML. Replace the JSON load/unload code with stuff that loads the XML contact resources in the background and invalidates the cache with blank data at logout.

Re:Conceptual problem (1)

JackHoffman (1033824) | more than 7 years ago | (#17422904)

The problem is that the user has the cookie because he's logged into GMail (in a different window or tab, or he forgot to log out). The cookie which is sent with the request for the script is from the domain of the web app that the script is part of, not from the attacking website. One way to deal with this type of vulnerability is to check the HTTP referrer header, but since many users disable the referrer (mostly for privacy reasons), such a check would either not protect these users or prevent them from using the application. In essence, the website requesting the information would have to send something with the request that a third party can't know and can't cause another entity to add to the request (like the cookie). This means that the programmer has to take an extra precaution beyond implementing the functionality in a robust fashion, hence my assumption that many applications are similarly vulnerable.

Re:Conceptual problem (1)

stevey (64018) | more than 7 years ago | (#17423220)

There is a simple fix, rather than making a request to a remote site which tests only your logged in cookie it should instead send a "random" value with the request.

The way it works is:

  • Google sends the a form to you with a hidden "auth string".
  • When you make a request back you send the same auth-string/token with the request.
  • If the login cookie is invalid then the request is denied.
  • If the login cookie is valid and the auth-string was correct the results are sent back.
  • If the auth-string was missing then you know the request was forged.

This is the difference between http://example.com/logout [example.com] and http://example.com/logout/124rkjfldf [example.com] for example - The former is insecure since example.net could include that link in an image source; whereas the latter example uses a token appended to the URL - if the submission doesn't have the correct token then it can be denied.

I wrote about this here [debian-adm...ration.org] , when I updated my site to work like this.

Re:Conceptual problem (2, Informative)

zataang (596856) | more than 7 years ago | (#17423210)

Please don't jump to conclusions. As one of the comment above notes, cross-domain xmlHTTPRequests are anyway blocked by all the main browsers. The problem in this case is because of a particular way in which the data is stored by Gmail. Calling it a design flaw of JSON is stupid.

Re:Conceptual problem (1)

RvLeshrac (67653) | more than 7 years ago | (#17424090)

This is a design flaw in Gmail because it affects all of the browsers involved, right? It doesn't just affect one of them?

Seriously, if this was an issue with all of the involved browsers, it would obviously be a flaw in Gmail. That's not the case.

Re:Conceptual problem (1)

JackHoffman (1033824) | more than 7 years ago | (#17425052)

Technically you're right: JSON is not limited to Javascript, even though the acronym means "JavaScript Object Notation". However, since JSON messages are by definition valid Javascript object definitions, it's not surprising that it's mostly used in the way GMail uses it: The page loads and executes scripts to move data from the server into the application on the client. This typical way of using JSON is prone to be exploited in the described fashion, unless the programmer has implemented additional security.

Re:Conceptual problem (1)

duncanthrax (149400) | more than 7 years ago | (#17423492)

JSON is not the problem (the contact list could also be in XML or whatever other format), but the fact that Google hands out the contact list "script" based on cookie validation only. A simple referrer check should provide "good enough" security.

Nope; it's more of Google's arrogant sloppiness (0)

Anonymous Coward | more than 7 years ago | (#17424012)

I like how so many of you are pointing the blame to anyone BUT Google.
Susbsitute Hotmail for GMail in the article, and see if you have the same spin.
We all know that if hotmail had this vulnerability, there'd be hundreds of posts here gloating. Instead, we have Google sycophants spinning like crazy!!

Get it through your thick skulls - Google's programmers are no better than anyone elses. They all come from the same universities. Google programmers are not gods, they're humans, and just as capable as screwups as anyone else. Maybe even more so, given the arrogance of the company that leads their employees to believe their own press clippings about how superiour they are to anyone else.

This is not the first time that Google has been extremely sloppy and careless with users' personal info, and it won't be the last.
And to think, this is the company that slashdotters advocate businesses use for corporate email and corporate document storage!! LOLOLOL

Some Background Information (0, Offtopic)

TubeSteak (669689) | more than 7 years ago | (#17422162)

TFA has a link to this site for a demo:
http://googlified.com.googlepages.com/contactlist. htm [googlepages.com]

The page now says: Causing too much trouble already... I am sorry if it causes any inconvenience to you, or make you feeling the insecure of Google.

plugging googlified.com.googlepages.com into google [google.com]
brings us to this url: http://blog.outer-court.com/forum/79255.html [outer-court.com]

Which in turn has a link to this site:
http://googlified.com/2006download-the-google-maps [googlified.com]

A whois lookup on googlified.com
Domain Name.......... googlified.com
    Creation Date........ 2006-02-06
    Registration Date.... 2006-02-06
    Expiry Date.......... 2007-02-06
    Organisation Name.... Feng Zeng
    Organisation Address. [home(?) address]
    Organisation Address. Columbus
    Organisation Address. 43229
    Organisation Address. OH
    Organisation Address. UNITED STATES

Admin Name........... Haochi Chen
    Admin Address........ [home(?) address]
    Admin Address........ Columbus
    Admin Address........ 43229
    Admin Address........ OH
    Admin Address........ UNITED STATES
    Admin Email.......... haochi.chen@gmail.com
    Admin Phone.......... [real phone number]


P.S. http://googlified.com/about/ [googlified.com]
"More deeply, I am a 16 year old from the political battle ground in the United States - Ohio. I am currently a sophomore in a not-so-bad high school."

Re:Some Background Information (1)

hakrzcode (827494) | more than 7 years ago | (#17422596)

How is this relevant? Does this make him a terrorist?

Re:Some Background Information (0)

Anonymous Coward | more than 7 years ago | (#17422674)

you're a stupid karma whoring faggot. offer something insightful u worthless sack of shit. hey wait, i know better. GO DIE

Re:Some Background Information (1)

clear_thought_05 (915350) | more than 7 years ago | (#17423646)

First: What does this have to do with the subject at hand? Off topic. -1
Second: If you take
http://googlified.com.googlepages.com/contactlist. htm [googlepages.com]
and just strip the html page and go to:
http://googlified.com.googlepages.com/ [googlepages.com]
You'll find a link to googlified.com

Some things are so simple they're complicated I guess.

Not valid JSON, is it? (1)

claes (25551) | more than 7 years ago | (#17422216)

I think the keys in JSON needs to be strings

Re:Not valid JSON, is it? (0)

Anonymous Coward | more than 7 years ago | (#17422714)

It's also not valid XML, not valid C, not valid Lisp, not valid French... what's your point?

It's a trap! (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17422246)

Lies, lies, lies!

Google has 5000 phds, they do no evil and are just plain better than Microsoft. How could this happen? Simple answer: it didn't. It's a trap! Microsoft wants you to think that Google sucks as much as them, which any non-ignorant /. user knows it's simply not true.

This is a nightmare implanted on our brains to make us think this is true! Don't believe it... It will soon vanish from our minds. Just keep browsing and DON'T ASK QUESTIONS. Thanks.

Wow! (4, Funny)

repruhsent (672799) | more than 7 years ago | (#17422292)

I'm glad that I run Firefox on Linux!

Oh wait...

Microsoft (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17422300)

Ok guys, how can we make Microsoft look bad with this one?

you insEn5itive clod! (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17422328)

Fixed? (4, Informative)

prestonmcafee (923223) | more than 7 years ago | (#17422380)

According to

http://blogs.zdnet.com/Google/?p=434
it is fixed.

According to... (1)

deesine (722173) | more than 7 years ago | (#17422612)

me, at 843 hours (PST), using FF 2.0.0.1, the problem is not fixed.

Re:Fixed? (1)

repruhsent (672799) | more than 7 years ago | (#17422616)

Anyone brave enough to check this out? Hopefully they did fix this. If someone figured out how to post this code to a certain popular social networking site [myspace.com] it could have disastrous fallout.

Fixed for me... (1)

carney1979 (189847) | more than 7 years ago | (#17423106)

As reported, it is fixed, at least in my case where I'm using Firefox 2.0 on Linux.

I like how open source software bugs get fixed (usually) really fast when compared to non-open source software.

David

Re:Fixed for me... (1)

CNeb96 (60366) | more than 7 years ago | (#17425476)

It's a problem with gmail which effects every browser. No open source software involved.

Not Fixed (4, Informative)

astrosmash (3561) | more than 7 years ago | (#17423132)

Still works for me. You can run this script from a local html file to check:

<html>
<head>
<script>
function google(a) {
document.write("<ol>");
for (i = 0; i < a.Body.Contacts.length; i++) {
document.write("<li>" + a.Body.Contacts[i].Email + "</li>");
}
document.write("</ol>");
}
</script>
<script src="http://docs.google.com/data/contacts?out=js&s how=ALL&psort=Affinity&callback=google&max=99999"> </script></head>
<body>
Hello
</body>
</html>

Re:Not Fixed (1)

complete loony (663508) | more than 7 years ago | (#17425666)

JS is often cached. The code you posted did not work for me.

Typical of /. (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17422440)

If this was a problem with hotmail or yahoo, by now, there would have been a zillion posts trashing MS or yahoo. Since it is gmail, every post is trashing the submitter for saying firefox only and ignoring the other browsers (although that is a problem too). How typical of slashdot sheep

Re:Typical of /. (0)

Anonymous Coward | more than 7 years ago | (#17424010)

Waaahhhh!!!

Galeon too (2, Informative)

phrostie (121428) | more than 7 years ago | (#17422470)

just FYI, it works with Galeon (2.x) as well.

Can be solved with HTTP referer (1)

moria (829831) | more than 7 years ago | (#17422500)

I think it can be solved by Google checking HTTP referer [wikipedia.org] before sending out the contact list via JSON, as long as the browser does not use cached content.

Re:Can be solved with HTTP referer (1)

vitality-jtw (1045542) | more than 7 years ago | (#17422538)

That wouldn't help as the referrer can be spoofed: http://en.wikipedia.org/wiki/Referer_spoofing [wikipedia.org]

Re:Can be solved with HTTP referer (1)

moria (829831) | more than 7 years ago | (#17422620)

That hack needs the user himself to install suicide spoof extensions/plugins. Since we trust the users, it should not be a concern. Good to know the problem has already been fixed.

can't spoof it (1)

r00t (33219) | more than 7 years ago | (#17422918)

Who has the gmail cookie?
Who wants to do the spoofing?
How is the spoofer going to get the cookie?

Right...

Re:Can be solved with HTTP referer (1)

jZnat (793348) | more than 7 years ago | (#17422724)

And to solve the cache problem, they send the "Cache-Control: no-store, no-cache, must-revalidate" header for that script.

The Web browser as application portal (1)

Dystopian Rebel (714995) | more than 7 years ago | (#17422750)

These problems will not go away. Software engineers will always make mistakes and malevolent people will always want your private data. The Web is "open" by design and therefore open to exploits.

With the Web browser becoming an application portal, users need to understand that doing transactions that involve their personal data must be separate from general Web browsing.

You can switch off cookie permission and Javascript but this limits the functionality of many sites. I think the best solution is to use two different browsers, one for personal transactions, the other for wandering the Web.

Wow (4, Informative)

Altanar (56809) | more than 7 years ago | (#17422836)

C'mon, /. You're reporting this now? It's already been fixed [digg.com] .

Re:Wow (0)

Anonymous Coward | more than 7 years ago | (#17423366)

C'mon, Altanar. Click on the link in your own post and read it.

Re:Wow (1)

NereusRen (811533) | more than 7 years ago | (#17423412)

C'mon, Altanar You're posting this now? It's not yet fixed [digg.com] .

(Yes, that's your own link. Read the discussion.)

Re:Wow - MODERATORS PLEASE READ (1)

multisync (218450) | more than 7 years ago | (#17424076)

C'mon, mods. Follow the links and read [digg.com] before moderating.

Don't volunteer that much info to Google (1, Interesting)

mabu (178417) | more than 7 years ago | (#17422992)

This is only a problem for people who are violating one of the primary security policies in the first place, and that's putting your contact list in Gmail in the first place. While Google may claim to not be evil now, there's no guarantee at any time in the future, all the information they collect from you and on you won't be given or sold to other entities or otherwise exploited for nefarious purposes. In fact, it's pretty much an inevitability this will happen, so it's not smart in the first place to store much information on their systems when more secure alternatives already exist.

3rd party cookie problem (0, Offtopic)

rogersc (622395) | more than 7 years ago | (#17423254)

It looks to me as if the real culprit is 3rd party cookies. These have almost no legitimate use, and are mainly used by advertisers like doubleclick.net to track users. Third party cookies are turned on by default in the browsers, but you can turn them off. This is another reason to turn them off.

Hmm (0)

Anonymous Coward | more than 7 years ago | (#17423384)

Only happens in FireFox....and not IE7 (IE6 wasn't tested). at the time of my posting this, only 66 replies.

Funny. If it said "this only happens in IE" there would be 500+ replies, all saying how badly IE sucks and how you should use Opera or FF.

Funny how the /. fanbois ignore things that are exposures of security issues with Firefox...

Re:Hmm (0, Flamebait)

RvLeshrac (67653) | more than 7 years ago | (#17424030)

Better yet, if it was a vulnerability that only affected IE, it would be IE's fault.

Since the vulnerability only shows up in Firefox, however, it obviously must be the website's fault.

Think of the absurdity. "Three individuals purchased steak from Tesco recently. One of the individuals died after braising her cut in potassium cyanide, and a full investigation has been launched against the grocer. The other two individuals cited have suffered no ill effects."

Untested in most used browser? (0)

Anonymous Coward | more than 7 years ago | (#17423676)

How can get to front page an article about some browser vulnerabilities that says it's untested on the most used one?
"With some cell phones you can call for free. It works with Phillips and Siemens, it does not on Panasonic, and has not been tested on Nokia, SonyEriccson or Motorola."
Lol, then test it before wasting our time.

I'm running at least two Firefox (0)

Anonymous Coward | more than 7 years ago | (#17423810)

I'm using one Firefox instance only for GMail/Yahoo!/eBay/banking website and another one for surfing. Both instances are launched from separate user accounts, displayed on the same X (but in different 'virtual desktops'). I don't ever enter any personal information in the 'unsafe' user account I use for surfing. It's a sad state of affair, but it's a fact that the lists of vulnerabilities for every single browser is lloonngg (browser more secure than IE [not hard] have regularly vulnerabilities rated 'critical'). So a long time ago I decided that surfing from my main user account was not a good idea. This post brougth to you by a throwaway user called 'temp' that has only one non-hidden dir: ~/firefox/. For some time I was even surfing using a temp user on a throwaway Xen para-virtualized Linux guest, but sometimes I watch some Youtube/Metacafe crap and it wasn't nice over VNC.

GMail is beta (2, Funny)

asCii88 (1017788) | more than 7 years ago | (#17424384)

You shouldn't be suprised... as you all know GMail is still in beta.

Doesn't work in Opera 9.02 (1)

Rui del-Negro (531098) | more than 7 years ago | (#17424730)

It doesn't seem to work in Opera 9.02, despite some people saying that it works on every browser. Either Google has changed something or the example code isn't working.

Doesn't work in GYAFD (0)

Anonymous Coward | more than 7 years ago | (#17425134)

Worth noting that this exploit doesn't work at all if you use Google Apps For Your Domain, you just get a JS file saying "success: false"

Explanation & Possible Solutions (2, Interesting)

kazad (619012) | more than 7 years ago | (#17425166)

I posted this on reddit [reddit.com] which broke the story earlier, and on my blog [betterexplained.com] . Thought you might find it useful.

Quick follow-up. On digg someone posted the un-obfuscated code: http://www.cc.gatech.edu/~achille/contacts-source. txt [gatech.edu]

How it works

The code is pretty straightforward. Basically, Google docs has an embedded script that will run a callback function, passing the function your contact list as an object. The embedded script presumably checks a cookie to ensure you are logged into a Google account before handing over the list.

Unfortunately, the script doesnt check what page is making the request. So, if you are logged in on window 1, window 2 (an evil site) can make the function call. Since you are logged in somewhere, the cookie is valid and the request goes through.

Also, if you check the object that is returned, you see fields for the contact's name, email and "affinity". Presumably, a higher affinity means a more-emailed contact, so it may be possible to know the relative weight of links.

Possible solutions

Google is run by smart people and I'm sure they'll have this fixed soon. A few suggestions appear to be popping up, all centered on making sure the user is on a Google.com page and not a random site:

Referrer blocking: Block all requests from sites not in the google.com domain. However, some people run referrer-blocking software. It may be the price they have to pay for security, but there could be other consequences.

Script checks: An idea I had was to check the window.location (just like you check the cookie) to make sure it's coming from a google.com domain. This is another way to see what page is making the request.

Challenge-response: Google pages (like Gmail) can have some token or unique, computed data that they submit with their requests. Random pages won't have access to this token when they make the function call.

(From user JRF on reddit): Include part of cookie in the request URL as a unique token that only a "real" Google page would know. Need to watch out for proxies/browser history (accessible from other pages) being able to access this unique data. May need to seed or salt it in a challenge-response system.

It's interesting thinking of fixes for this - do you have any other suggestions for how Google would fix this?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?