[ I really didn't want to write about this, but because many news sites (Slashdot, Digg) already talk about this, it can't bring too much trouble. ]
Do you remember the post about the XML that contained your Gmail contact list? Well, Haochi from Googlified discovered that by adding "out=js" at the end of that URL, you can get the same data in JavaScript format. Even more, if you add "callback=name", you get a JavaScript code that can be used in any web site. This thing has a name: JSON and it's a very practical way of importing data into a JavaScript application. The problem here is that anyone can import your Gmail contact list (if you are logged in) and send it to a server.
The JavaScript file is used by Google to make it easy to send videos to your contacts in Google Video, to invite people in Google Spreadsheets and Google Notebook. So it's not a bug in Gmail, they just exposed some data in a wrong way.
Google can fix this in many ways and will certainly fix it. Until then, it's a good idea to sign out of Gmail when you're not using it.
Update (after a day): Google fixed the security vulnerability.
Labels: Gmail, Security
Google fixed it.
http://blogs.zdnet.com/Google/?p=434
Google fixed it in a single case.
This doesn't work anymore:
http://video.google.com/data/contacts?out=js&callback=name
but there's a big list of working links:
http://docs.google.com/data/contacts?out=js&callback=name
http://www.google.com/notebook/contacts?out=js&callback=name
http://video.google.com/contacts/data/contacts?out=js&callback=name
and maybe others.
This is pretty funny. Google has fixed the first two links. Now there are two links that work.
said on January 1, 2007 12:44 PM PDT:
:) Strange, huh?
said on January 1, 2007 2:15 PM PDT:
Jesus. This is F*CKING scandalous.
said on January 1, 2007 4:49 PM PDT:
Pretty scary. It could have huge spam potential. Set up a script on your site that sends your users contacts to another website or database.
Only the last link from my list still works.
Anjanesh said on January 1, 2007 6:49 PM PDT:
Only http://video.google.com/contacts/data/contacts?out=js&callback=name still works. But the full XML version still works which seems good enough.
None of the addresses work, so Google fixed the whole thing.
said on January 2, 2007 4:12 AM PDT:
The XML listing still works. Is it not possible to obtain this list via Javascript ?
To get the XML in JavaScript you need to use XMLHttpRequest, but this object has a big restriction: the domain of the requested URL must be the same as the one that serves up the page containing the script (same origin policy).
said on January 2, 2007 5:24 AM PDT:
but this object has a big restriction: the domain of the requested URL must be the same as the one that serves up the page containing the scriptLast time I checked, IE6 didnt really follow this rule. Using AJAX (Msxml2.XMLHTTP or Microsoft.XMLHTTP, dont remember), one could get content from another url. I tried this to display News RSS from another site using JS, but dropped it when I realized this wouldnt do for FF.
I tested some situations and it seems to be OK. If you can come up with a proof-of-concept code, post a link.
Michael said on January 4, 2007 8:48 AM PDT:
Hi,
see the next bug in Google groups here:
http://weblogs.asp.net/mschwarz/archive/2007/01/03/pending-members-google-groups-xss-bug-part-2.aspx
Anjanesh said on June 10, 2007 7:55 PM PDT:
I was just trying to figure out the xml url to get the contacts-list and found that the link
http://video.google.com/contacts/data/contacts?out=js&callback=name
still works !!!
And http://docs.google.com/data/contacts doesnt exists anymore.
Lisa said on January 10, 2008 5:33 PM PDT:
My Gmail address book was hacked today. Most embarrassing since it went to work addresses. It is unfortunate that they have this hole and that they insist on adding every email contact automatically to my contact list.
