GMail Vulnerable To Contact List Hijacking 139
Anonymous Coward writes "By simply logging in to GMail and visiting a website, a malicious website can steal your contact list, and all their details. The problem occurs because Google stores the contact list data in a Javascript file. So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7. IE6 was un-tested as of now."
Which is the problem? (Score:5, Insightful)
Re:Which is the problem? (Score:5, Informative)
Re: (Score:2, Funny)
Why dont you ask
It's an information leak (Score:5, Informative)
It can be exploit by writing a callback function in Javascript, that can do anything, and then passing it to the above link, which gives your function all the users contact info.
Re: (Score:3, Informative)
Re: (Score:1)
Now a days after releasing of FF I have heard lots of issues in between GG and FF. You may have seen the latest update for firefox 2.0 for the fixing of gMail. Wondering what could be the reasons.
Re:Which is the problem? (Score:5, Insightful)
GMail. JSON should not be used for sensitive data because any old website can reference it simply by including it as an external script. The Google developers should not have used JSON for this information, they did, and that is why this information leak exists. There are ways to protect JSON from this (e.g. nonces) but you have to actually add this security yourself, rather than relying on the browser's built-in cross-domain security like you could if you were using XML etc.
Nonsense (Score:3, Interesting)
JSON is not the problem here. The problem was the stupid google({}) function call wrapped around the JSON in the reply. Remove that stupid function call and everything is fine. Since you cannot receive or send data via XmlHttpRequest to a domain other than the one that served up the HTML, you will not be at risk if only JSON is returned.
The sky is falling!
The sky is falling!
Sheesh.
Re: (Score:2)
It's not XML that is special, it's JSON, because it can be parsed as JavaScript.
You misunderstand, the whole point is that you don't need XMLHttpRequest if the data can be parsed as JavaScript. You just need to include it with a <script> element.
Re: (Score:2)
Huh? I must be missing something big here, because I thought the whole point of XMLHttpRequest is so that you could easily query the server for data without reloading any pages or (i)frames. Lots of people get that data in XML format, others use plain text, and seems others use JSON. Whatever the format, you need XMLHttpRequest to get that data from
Re: (Score:2)
Here's an example [bluishcoder.co.nz].
Re: (Score:2)
Re: (Score:2)
I only mentioned XmlHttpRequest because some have incorrectly argued that you could still make an XHR call to a foreign website and get the raw JSON information. XHR prevents this with its site-of-origin policy. This bug was solely c
Re:Which is the problem? (Score:5, Informative)
When you surface data via Xml web services, you can only call the web service on the domain that the JavaScript calling it originates from. So if you write your web services with AJAX in mind exclusively, then you have made the assumption that JavaScript is securing your data.
The problem is created at two points:
1) When you rely on cookies to perform the implicit authentication that reveals the data.
2) When you allow rendering of the data in JSON which bypasses JavaScript cross-domain security.
This can be solved by doing two things:
1) Make one of the parameters to a web service a security token that authenticates the request.
2) Make the security token time-sensitive (a canary) so that a compromised token does not work if sniffed and used later.
The security token should be gathered by authenticating the user according to a mechanism that the user controls. Think of the way that the Flickr API asks you to grant an application access to your data.
Anyhow, use the noscript extension in Firefox to ensure that your data is not compromised, as you will be able to choose to block the script from running, and in doing so prevent others from gaining access to your data.
The Internet Exporer alternative is to disable JavaScript, but few people ever do this because too few sites (especially Web2.0 sites) degrade gracefully when JavaScript is disabled.
Re: (Score:1)
Submitter has a problem with Firefox? (Score:5, Informative)
I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three.
Does the submitter have some agenda against Firefox?
Re: (Score:1)
The link to test out the vulnerability seems to be down.
Re: (Score:3, Funny)
Re: (Score:1)
Re:Submitter has a problem with Firefox? (Score:5, Informative)
* supports cookies
* supports loading of resources from domains other than the one the currently-loaded page is hosted on
* supports accessing those resources
ie pretty much all (modern) browsers.
Re: (Score:1)
Re: (Score:3, Informative)
Re: (Score:1)
To give the submitter the benefit of the doubt, perhaps he or she read the article as it only works on the third one.
Or, the submitter works for Microsoft and is therefore required to make IE look spotless, lest a chair come sailing from the other end of the room.
Re: (Score:2, Funny)
Nah, it was just a gag to get ppl to RTFA.
Phew! (Score:4, Funny)
phew! - doesn't spell relief for the mainstream (Score:1)
i'm always happy to tell the tale of MS's FTC privacy bust in 2002. but there's a not so funny side to software vulnerabilities for the millions of poor slobs who aren't reading this thread, or any like it. i don't think the
Works in most any java-script browser (Score:5, Insightful)
How does this work (Score:2)
Re: (Score:1)
Google places a cookie on your browser which indicates you have authenticated to Google. The afflicted website makes the same exact ajax call Gmail does in order to download the contact information. Since your browser holds the appropriate cookie, Google happily obliges and hands your contacts information over to your browser. Google.com has no way of knowing that it was javascript from another site which initiated the request, the request is coming from your brows
Re:How does this work (Score:4, Informative)
Re:How does this work (Score:5, Informative)
1. Gmail sets a cookie saying you're logged in
2. A [3rd party] javascript tells you to call Google's script
3. Google checks for the Gmail cookie
4. The cookie is valid
5. Google hands over the requested data to you
If [3rd party] wanted to keep your contact list, the javascript would pass it to a form and your computer would happily upload the list to [3rd party]'s server.
At no point does [3rd party] make any request to Google.
Re: (Score:2, Insightful)
Re: (Score:2, Funny)
Re: (Score:3, Informative)
http://docs.google.com/data/contacts [google.com]
Re: (Score:2)
Re: (Score:2)
it ought to be fine (Score:2)
My browser should not grant this ability to random javascript it finds on the web.
Re: (Score:1, Informative)
Why not? You're underestimating both how simple it is to spoof a referrer, and how stupid it is to use the referrer for security purposes.
nope (Score:2)
The spoof would have to work from Javascript or Java, creating connections on behalf of the user. Merely opening a TCP/IP socket won't do, because you'd not be able to shove the cookie down the wire.
Re: (Score:2)
I don't know a whole lot about cookies, but wouldn't you think `wget` would provide a way to download them if you need to?
Re: (Score:2)
You don't get to run wget from within a browser belonging to somebody else, which is where you need to do the spoofing if you want to grab contacts info from somebody else.
Why do I bother with this site? (Score:5, Insightful)
"So far the attack only works on Firefox, and doesn't appear to work in Opera or Internet explorer 7"
TFA says:
"I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three."
Got any jobs going? I could do nice armchair job at Slashdot. I'd be willing to work the full 3 hours a week.
Re:Why do I bother with this site? (Score:5, Funny)
Not with that sentence structure. You only made one grammar error. You could never be a
Speaking of grammar errors... (Score:2)
In other words, the submitter says that when a malicious website logs into Gmail and visits a website, it can steal my contact list.
Someone needs to learn how to use dependent clauses. The subject of the sentence above is a malicious website, and that's who is being described in the dependent clause as logging into Gmail and visiting a website.
Re: (Score:1)
Shouldn't that be "one grammatical error" or "one error in grammar?"
Re: (Score:2)
Re: (Score:2)
Thank goodness (Score:4, Funny)
Conceptual problem (Score:5, Informative)
Re: (Score:1)
Re: (Score:2)
From what I understand, as long as the user has a valid cookie, the information is fair game... and I imagine that there are implementations that do not even bother with a cookie.
Maybe the question is: Can it be fixed?
per-site fix is obvious (Score:3, Informative)
a. Place a 128-bit random number (UUID/GUID) into the URL for the contacts info.
b. Check the referrer. (foreign javascript should not be able to forge this)
c. Place an encrypted copy of the cookie into the URL of the contacts info.
d. Embed the contacts info in the page instead.
Re: (Score:1)
Re: (Score:1)
There is a simple fix, rather than making a request to a remote site which tests only your logged in cookie it should instead send a "random" value with the request.
The way it works is:
Re: (Score:2, Informative)
Re: (Score:1)
Seriously, if this was an issue with all of the involved browsers, it would obviously be a flaw in Gmail. That's not the case.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
+5 Right on the Money (Score:1)
Not valid JSON, is it? (Score:2)
Wow! (Score:2, Funny)
Oh wait...
Fixed? (Score:4, Informative)
http://blogs.zdnet.com/Google/?p=434
it is fixed.
According to... (Score:1)
Not Fixed (Score:5, Informative)
Still works for me. You can run this script from a local html file to check:
s how=ALL&psort=Affinity&callback=google&max=99999"> </script></head>
<html>
<head>
<script>
function google(a) {
document.write("<ol>");
for (i = 0; i < a.Body.Contacts.length; i++) {
document.write("<li>" + a.Body.Contacts[i].Email + "</li>");
}
document.write("</ol>");
}
</script>
<script src="http://docs.google.com/data/contacts?out=js&
<body>
Hello
</body>
</html>
Re: (Score:2)
Re: (Score:1)
Galeon too (Score:2, Informative)
Can be solved with HTTP referer (Score:1)
Re: (Score:1)
Re: (Score:1)
can't spoof it (Score:2)
Who wants to do the spoofing?
How is the spoofer going to get the cookie?
Right...
Re: (Score:1)
Re: (Score:2)
Mind sharing?
Your zero-day vulnerability is way bigger news than this gmail bug.
Re: (Score:2)
The Web browser as application portal (Score:2)
With the Web browser becoming an application portal, users need to understand that doing transactions that involve their personal data must be separate from general Web browsing.
You can switch off cookie permission and Javascript but this limits the functionality of many sites. I think the best solution is to use tw
Wow (Score:4, Informative)
Re: (Score:2)
(Yes, that's your own link. Read the discussion.)
Re: (Score:2)
The flaw *was* allowing *other sites* to use it as a src variable (IE someone *else's* site using that URL + your cookies).
This is indeed fixed.
Re:Wow - MODERATORS PLEASE READ (Score:1)
Don't volunteer that much info to Google (Score:2, Interesting)
Re: (Score:3, Interesting)
This is only a problem for people who are violating one of the primary security policies in the first place, and that's putting your contact list in Gmail in the first place. While Google may claim to not be evil now, there's no guarantee at any time in the future, all the information they collect from you and on you won't be given or sold to other entities or otherwise exploited for nefarious purposes.
Whilst this is true, it's just the same as giving one's details to banks, credit card companies, phone companies, etc, etc ... they all have access to private and confidential information. I'm not sure that there's any more reason to suspect that they're any better or worse than Google - and judging from all the credit card snail-mail spam (from rival companies) that I've got since reluctantly obtaining a credit card, there's very good evidence to suggest that they wilfully share this info.
Of course, by p
GMail is beta (Score:2, Funny)
Re: (Score:2)
Doesn't work in Opera 9.02 (Score:2)
Explanation & Possible Solutions (Score:2, Interesting)
Quick follow-up. On digg someone posted the un-obfuscated code: http://www.cc.gatech.edu/~achille/contacts-source. txt [gatech.edu]
How it works
The code is pretty straightforward. Basically, Google docs has an embedded script that will run a callback function, passing the function your contact list as an object. The embedded script presumably checks a cookie to ensure you are logged into a Google account before handing
Re: (Score:1)
1. Check for the HTTP Request method. If it is POST, send the data. For other request methods like HEAD, GET send HTTP Status code 403(Forbidden).
2. For Google applications, they should use XMLHttpRequest and POST method to retrieve the data. This will be allowed due to same domain policy.
3. Unless otherwise specified, browsers does a GET request for a required reso
Re: (Score:1)
Re: (Score:1)
First link in the aritcle (Score:1)
Re: (Score:1)
Re: (Score:2)
You mean probably many more yet to be published ones. Google (and the rest of us) will only find out about these if the person who finds them is nice enough to tell everyone. While I'm guessing most people in the world are nice enough to do that, its the few who aren't that I'm worried about...
But I guess these security violations and performance problems and accessibility issues are all small prices to pay if you want a fancy "Web 2.0" website...
Some details on how it works (Score:2)
not anymore (Score:1)
Fixed (Score:2)
Re: (Score:1)
What A Waste (Score:1)
My solution (Score:2)
Not perfect, but it works for me.
Re: (Score:1)
Re: (Score:1)
Second: If you take
http://googlified.com.googlepages.com/contactlist. htm [googlepages.com]
and just strip the html page and go to:
http://googlified.com.googlepages.com/ [googlepages.com]
You'll find a link to googlified.com
Some things are so simple they're complicated I guess.