GMail Vulnerable To Contact List Hijacking 139
Anonymous Coward writes "By simply logging in to GMail and visiting a website, a malicious website can steal your contact list, and all their details. The problem occurs because Google stores the contact list data in a Javascript file. So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7. IE6 was un-tested as of now."
Which is the problem? (Score:5, Insightful)
Works in most any java-script browser (Score:5, Insightful)
Why do I bother with this site? (Score:5, Insightful)
"So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7"
TFA says:
"I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three."
Got any jobs going? I could do nice armchair job at Slashdot. I'd be willing to work the full 3 hours a week.
Re:Works in most any java-script browser (Score:2, Insightful)
Re:Which is the problem? (Score:5, Insightful)
GMail. JSON should not be used for sensitive data because any old website can reference it simply by including it as an external script. The Google developers should not have used JSON for this information, they did, and that is why this information leak exists. There are ways to protect JSON from this (e.g. nonces) but you have to actually add this security yourself, rather than relying on the browser's built-in cross-domain security like you could if you were using XML etc.