[ I really didn't want to write about this, but because many news sites (Slashdot, Digg) already talk about this, it can't bring too much trouble. ]
Do you remember the post about the XML that contained your Gmail contact list? Well, Haochi from Googlified discovered that by adding "out=js" at the end of that URL, you can get the same data in JavaScript format. Even more, if you add "callback=name", you get a JavaScript code that can be used in any web site. This thing has a name: JSON and it's a very practical way of importing data into a JavaScript application. The problem here is that anyone can import your Gmail contact list (if you are logged in) and send it to a server.
The JavaScript file is used by Google to make it easy to send videos to your contacts in Google Video, to invite people in Google Spreadsheets and Google Notebook. So it's not a bug in Gmail, they just exposed some data in a wrong way.
Google can fix this in many ways and will certainly fix it. Until then, it's a good idea to sign out of Gmail when you're not using it.
Update (after a day): Google fixed the security vulnerability.
Google fixed it in a single case.
ReplyDeleteThis doesn't work anymore:
http://video.google.com/data/contacts?out=js&callback=name
but there's a big list of working links:
http://docs.google.com/data/contacts?out=js&callback=name
http://www.google.com/notebook/contacts?out=js&callback=name
http://video.google.com/contacts/data/contacts?out=js&callback=name
and maybe others.
This is pretty funny. Google has fixed the first two links. Now there are two links that work.
ReplyDelete:) Strange, huh?
ReplyDeletePretty scary. It could have huge spam potential. Set up a script on your site that sends your users contacts to another website or database.
ReplyDeleteOnly the last link from my list still works.
ReplyDeleteOnly http://video.google.com/contacts/data/contacts?out=js&callback=name still works. But the full XML version still works which seems good enough.
ReplyDeleteNone of the addresses work, so Google fixed the whole thing.
ReplyDeleteThe XML listing still works. Is it not possible to obtain this list via Javascript ?
ReplyDeleteTo get the XML in JavaScript you need to use XMLHttpRequest, but this object has a big restriction: the domain of the requested URL must be the same as the one that serves up the page containing the script (same origin policy).
ReplyDeletebut this object has a big restriction: the domain of the requested URL must be the same as the one that serves up the page containing the script
ReplyDeleteLast time I checked, IE6 didnt really follow this rule. Using AJAX (Msxml2.XMLHTTP or Microsoft.XMLHTTP, dont remember), one could get content from another url. I tried this to display News RSS from another site using JS, but dropped it when I realized this wouldnt do for FF.
I tested some situations and it seems to be OK. If you can come up with a proof-of-concept code, post a link.
ReplyDeleteHi,
ReplyDeletesee the next bug in Google groups here:
http://weblogs.asp.net/mschwarz/archive/2007/01/03/pending-members-google-groups-xss-bug-part-2.aspx
I was just trying to figure out the xml url to get the contacts-list and found that the link
ReplyDeletehttp://video.google.com/contacts/data/contacts?out=js&callback=name
still works !!!
And http://docs.google.com/data/contacts doesnt exists anymore.
My Gmail address book was hacked today. Most embarrassing since it went to work addresses. It is unfortunate that they have this hole and that they insist on adding every email contact automatically to my contact list.
ReplyDeletehttp://www.google.com/contacts/data/contacts
ReplyDeletehttp://www.google.com/contacts/data/contacts?out=js
It's back... happened to me. *sigh*
ReplyDelete