Google Flaw not fixed, GMail contact stealing demo

Despite the flaw being announced a long time ago, the google Book search flaw is still broken. It's surprising that Google aren't taking it more seriously, this one is very easy to use to automate a users GMail account, stealing contacts, or sending email if they are logged into google when they're tricked into visiting such a page. Here's an example that will list your gmail contacts List your gmail contacts There's no reason why a page cannot also send emails, steal the contents emails or anything else. Given the length of time this has been public (I didn't find this flaw, it was posted to bugtraq on the 4th April, or 6 days ago) it's very possible that a worm that stole GMail information is already circulating. Disable script on! The script that gets the contacts is trivial:
function x() {
	xmlhttp = new XMLHttpRequest();"GET","",false);
	return xmlhttp.responseText;
the x function then contains a json structure containing the contacts, this can be easily changed into the output format with some simple regular expressions: see test6.js for those and the complete included script. The livehttpheaders extension in FireFox is how to find out how to do other things.


  1. debian-project mailing list Says:
    Well, that certainly got my attention. It appears to have been fixed now; or at least, the links Jibbering Jim provides don't work for me. ...