An unofficial blog that watches Google's attempts to move your operating system online since 2005. Not affiliated with Google.

Send your tips to gostips@gmail.com.

January 1, 2007

Gmail Contact List Exposure

[ I really didn't want to write about this, but because many news sites (Slashdot, Digg) already talk about this, it can't bring too much trouble. ]

Do you remember the post about the XML that contained your Gmail contact list? Well, Haochi from Googlified discovered that by adding "out=js" at the end of that URL, you can get the same data in JavaScript format. Even more, if you add "callback=name", you get a JavaScript code that can be used in any web site. This thing has a name: JSON and it's a very practical way of importing data into a JavaScript application. The problem here is that anyone can import your Gmail contact list (if you are logged in) and send it to a server.

The JavaScript file is used by Google to make it easy to send videos to your contacts in Google Video, to invite people in Google Spreadsheets and Google Notebook. So it's not a bug in Gmail, they just exposed some data in a wrong way.

Google can fix this in many ways and will certainly fix it. Until then, it's a good idea to sign out of Gmail when you're not using it.

Update (after a day): Google fixed the security vulnerability.

This blog is not affiliated with Google.