January 1, 2007

Gmail Contact List Exposure

[ I really didn't want to write about this, but because many news sites (Slashdot, Digg) already talk about this, it can't bring too much trouble. ]

Do you remember the post about the XML that contained your Gmail contact list? Well, Haochi from Googlified discovered that by adding "out=js" at the end of that URL, you can get the same data in JavaScript format. Even more, if you add "callback=name", you get a JavaScript code that can be used in any web site. This thing has a name: JSON and it's a very practical way of importing data into a JavaScript application. The problem here is that anyone can import your Gmail contact list (if you are logged in) and send it to a server.

The JavaScript file is used by Google to make it easy to send videos to your contacts in Google Video, to invite people in Google Spreadsheets and Google Notebook. So it's not a bug in Gmail, they just exposed some data in a wrong way.

Google can fix this in many ways and will certainly fix it. Until then, it's a good idea to sign out of Gmail when you're not using it.

Update (after a day): Google fixed the security vulnerability.

16 comments:

  1. Google fixed it in a single case.

    This doesn't work anymore:
    http://video.google.com/data/contacts?out=js&callback=name

    but there's a big list of working links:
    http://docs.google.com/data/contacts?out=js&callback=name
    http://www.google.com/notebook/contacts?out=js&callback=name
    http://video.google.com/contacts/data/contacts?out=js&callback=name
    and maybe others.

    ReplyDelete
  2. This is pretty funny. Google has fixed the first two links. Now there are two links that work.

    ReplyDelete
  3. Pretty scary. It could have huge spam potential. Set up a script on your site that sends your users contacts to another website or database.

    ReplyDelete
  4. Only the last link from my list still works.

    ReplyDelete
  5. Only http://video.google.com/contacts/data/contacts?out=js&callback=name still works. But the full XML version still works which seems good enough.

    ReplyDelete
  6. None of the addresses work, so Google fixed the whole thing.

    ReplyDelete
  7. The XML listing still works. Is it not possible to obtain this list via Javascript ?

    ReplyDelete
  8. To get the XML in JavaScript you need to use XMLHttpRequest, but this object has a big restriction: the domain of the requested URL must be the same as the one that serves up the page containing the script (same origin policy).

    ReplyDelete
  9. but this object has a big restriction: the domain of the requested URL must be the same as the one that serves up the page containing the script

    Last time I checked, IE6 didnt really follow this rule. Using AJAX (Msxml2.XMLHTTP or Microsoft.XMLHTTP, dont remember), one could get content from another url. I tried this to display News RSS from another site using JS, but dropped it when I realized this wouldnt do for FF.

    ReplyDelete
  10. I tested some situations and it seems to be OK. If you can come up with a proof-of-concept code, post a link.

    ReplyDelete
  11. Hi,

    see the next bug in Google groups here:

    http://weblogs.asp.net/mschwarz/archive/2007/01/03/pending-members-google-groups-xss-bug-part-2.aspx

    ReplyDelete
  12. I was just trying to figure out the xml url to get the contacts-list and found that the link

    http://video.google.com/contacts/data/contacts?out=js&callback=name

    still works !!!

    And http://docs.google.com/data/contacts doesnt exists anymore.

    ReplyDelete
  13. My Gmail address book was hacked today. Most embarrassing since it went to work addresses. It is unfortunate that they have this hole and that they insist on adding every email contact automatically to my contact list.

    ReplyDelete
  14. http://www.google.com/contacts/data/contacts
    http://www.google.com/contacts/data/contacts?out=js

    ReplyDelete

Note: Only a member of this blog may post a comment.