Gmail leaves your account open to spammers

Jimmy 2004 · Jan 1, 2007

A new flaw has been exposed in Google's Gmail service which could allow hackers to get hold of your contacts. When you log into your Gmail (Googlemail in some countries) account, Google will put your details into a JavaScript file. Because of this, if you browse other websites whilst logged into your account, any of them could potentially declare the function "google" and be able to get hold of all of your contacts. The only two ways to ensure your privacy is safe are to disable JavaScript in all websites except those you trust or to not browse other sites whilst logged into any Google service. Admittedly Gmail is still only a beta, but a fault like this could be quite serious.

Update: Disabling JavaScript did not solve this problem, however it appears that Google has now fixed this issue and your contacts list should be safe.

View at TechPowerUp Main Site

spectre440 · Jan 1, 2007

hopefully google will do the right thing, and plug that hole in their user's security.

peach1971 · Jan 1, 2007

Just use Firefox + Add-on NoScript.

Turn on Java to read your mails?
Lol, how far have we gone...

And here another usefull thing:
http://www.customizegoogle.com/

No more annoying ads!

cdawall · Jan 1, 2007

wondered how my account got spammed

Atech · Jan 1, 2007

peach1971 said:
Turn on Java to read your mails?
Lol, how far have we gone...

This vulnerability has nothing to do with Java.

pt · Jan 1, 2007

no spam for me

(i don't have java installed)

peach1971 · Jan 1, 2007

Nothing to do with Java?

Google will put your details into a JavaScript file. Because of this, if you browse other websites whilst logged into your account, any of them could potentially declare the function “google” and be able to get hold of all of your contacts.

Sorry, I don´t get it, Atech.

Jimmy 2004 · Jan 1, 2007

Atech said:
This vulnerability has nothing to do with Java.

Well, from what I read when posting this story it was a JS (JavaScript) file that causes this problem, and you disable Java to protect yourself so it must link to Java :confused:

Atech · Jan 1, 2007

Jimmy 2004 said:
Well, from what I read when posting this story it was a JS (JavaScript) file that causes this problem, and you disable Java to protect yourself so it must link to Java

Code:

&lt;script language="javascript">
function getContacts(response){
var output = "";
for(x=0;x&lt;response.Body.Contacts.length;x++){
output += response.Body.Contacts[x].Name + " &lt;" + response.Body.Contacts[x].Email + "> ";
}
alert(output);
}
&lt;/script>

&lt;script language="javascript" xsrc="http://video.google.com/data/contacts?out=js&max=500 &psort=Affinity&callback=getContacts">
&lt;/script>

No calls to the Java API there.

Edit: Gah to having to escape characters within code tags ...

Jimmy 2004 · Jan 1, 2007

Atech said:
No calls to the Java API there.

Whatever the case is, log into your Gmail and click here to see a nice list of your contacts. I'm not sure how a hacker can get hold of this, but I expect it's true. The reason that it may no longer be using Java is because Google claim to have fixed the issue. I'm not expert on Java, I'm just informing people of what I find.

Edit: well I disabled JavaScript and that page still shows my contacts... but Gmail doesn't work. Probably need to clear my cookies ect.

Edit2: Disabling JavaScript does NOT seem to solve this problem, that link still shows my contacts after I have cleared all my internet data with Javascript disabled... and I can't even use the Gmail service!!!

Edit3: Couldn't the line
script language="javascript" xsrc="http://video.google.com/data/contacts?out=js&max=500 &psort=Affinity&callback=getContacts"
be linked to this?

WarEagleAU · Jan 1, 2007

Good thing I dont use Gmail, too hard to get one anywho.

mout12 · Jan 1, 2007

WarEagleAU said:
Good thing I dont use Gmail, too hard to get one anywho.

no. Go to mail.google.com, click 'SIGN UP', then enter your mobile phone number, and they'll send you a password via text message to your phone number. you'll have an account.

Namslas90 · Jan 1, 2007

Just proves that you can't rely on anyone to secure your PC, but yourself!

cdawall · Jan 1, 2007

WarEagleAU said:
Good thing I dont use Gmail, too hard to get one anywho.

whats your email i have some signups left

pt · Jan 1, 2007

i have 99, anyone wants

?

Bull Dog · Jan 1, 2007

Jimmy 2004 said:
Whatever the case is, log into your Gmail and click here to see a nice list of your contacts. I'm not sure how a hacker can get hold of this, but I expect it's true. The reason that it may no longer be using Java is because Google claim to have fixed the issue. I'm not expert on Java, I'm just informing people of what I find.
...snip.

That link doesn't work for me.....meaning that when I am logged into my Gmail acct, and when I click on the link all I get is this:
google ({
Success: false,
Errors: []
})

Using FireFox.

Jimmy 2004 · Jan 1, 2007

Bull Dog said:
That link doesn't work for me.....meaning that when I am logged into my Gmail acct, and when I click on the link all I get is this:
google ({
Success: false,
Errors: []
})

Using FireFox.

Me too, I think they must've fixed it. I've updated the newspost again.

When I clicked that link earlier it would bring up a list in which you could find any info about your contacts you had saved.

System Name	Jimmy 2004's PC
Processor	S754 AMD Athlon64 3200+ @ 2640MHz
Motherboard	ASUS K8N
Cooling	AC Freezer 64 Pro + Zalman VF1000 + 5x120mm Antec TriCool Case Fans
Memory	1GB Kingston PC3200 (2x512MB)
Video Card(s)	Saphire 256MB X800 GTO @ 450MHz/560MHz (Core/Memory)
Storage	500GB Western Digital SATA II + 80GB Maxtor DiamondMax SATA
Display(s)	Digimate 17" TFT (1280x1024)
Case	Antec P182
Audio Device(s)	Audigy 4 + Creative Inspire T7900 7.1 Speakers
Power Supply	Corsair HX520W
Software	Windows XP Home

Processor	Athlon 64 x2 4000+ (65nm Brisbane)
Motherboard	Abit AN-M2 (AM2) nForce 630a
Cooling	Stock everything (for the time being), 2x120mm fans (intake & exhaust)
Memory	2GB (2x1024) OCZ Platinum PC2-6400 (4-4-4-15, 2T)
Video Card(s)	PowerColor ATI HD 2600XT 256mb GDDR4 PCI-e
Storage	Hitachi Deskstar 160GB SATA 3.0G/s, External USB2.0 WD 160GB
Display(s)	LG 17' LCD (L1753TR)
Case	HEC-Compucase 6A, black & grey
Audio Device(s)	On-Board 7.1 (realtek)
Power Supply	Spire Zeno 650W
Software	WinXP Pro SP2 (32-bit, for the time being)

Processor	AMD Phenom II X2 550 @3600MHz (VCore -0.05V)
Motherboard	Gigabyte MA-780G-DS3H (AMD SB700), BIOS: 04/14/09
Cooling	Scythe Samurai cooled by 2x Enermax Warp 80mm ~700 RPM
Memory	2x 1GB GeIL Ultra DDR2-800 @1066 CL4-5-5-15 2T
Video Card(s)	MSI R4830 OC (HD4830)
Storage	Samsung 400 GB S-ATA, WD 400GB S-ATA
Display(s)	Samsung 2433BW 1920 x 1200 Pixel (16:10)
Case	timeless office tower ;)
Audio Device(s)	Asus Xonar D1
Power Supply	be quiet! Straight Power BQT E7-400W
Software	Windows XP Pro 32bit

System Name	All the cores
Processor	2990WX
Motherboard	Asrock X399M
Cooling	CPU-XSPC RayStorm Neo, 2x240mm+360mm, D5PWM+140mL, GPU-2x360mm, 2xbyski, D4+D5+100mL
Memory	4x16GB G.Skill 3600
Video Card(s)	(2) EVGA SC BLACK 1080Ti's
Storage	2x Samsung SM951 512GB, Samsung PM961 512GB
Display(s)	Dell UP2414Q 3840X2160@60hz
Case	Caselabs Mercury S5+pedestal
Audio Device(s)	Fischer HA-02->Fischer FA-002W High edition/FA-003/Jubilate/FA-011 depending on my mood
Power Supply	Seasonic Prime 1200w
Mouse	Thermaltake Theron, Steam controller
Keyboard	Keychron K8
Software	W10P

Processor	Kentsfield Q6600 @ 2.8GHz "I eat source code before breakfast"
Motherboard	Asus Striker Extreme 680i (NB:C55XE, SB:MCP55XE)
Cooling	Zalman 9700, 1200mm fan, 5120mm fans
Memory	8GB OCZ PC6400 - 4*2 @ 622MHz (stability problems)
Video Card(s)	Geforce 8800GTS
Storage	2* Seagate Barracuda 7200.10 320GB - no RAID
Display(s)	Mitsubishi Diamond Plus 74SB
Case	Antec Nine Hundred + optional fans
Audio Device(s)	On board (sort of - SupremeFX ADI 1988B)
Power Supply	Corsair HW 620w
Software	Gentoo GNU+Linux amd64 (latest development kernel)

Gmail leaves your account open to spammers

Jimmy 2004

New Member

spectre440

New Member

peach1971

cdawall

where the hell are my stars

Atech

New Member

pt

not a suicide-bomber

peach1971

Jimmy 2004

New Member

Atech

New Member

Jimmy 2004

New Member

WarEagleAU

Bird of Prey

mout12

New Member

Namslas90

New Member

cdawall

where the hell are my stars

pt

not a suicide-bomber

Bull Dog

Jimmy 2004

New Member

Processor	AMD Turion 64 X2 Mobile TL-60 (Trinidad)
Motherboard	ASUS F3Ka (ATI RS690M)
Cooling	stock
Memory	Nanya 2x1GB ddr2 667@5-5-5-15-2T
Video Card(s)	ATI Mobility Radeon HD2600 512MB DDR2@ 580mhz/486mhz
Storage	160GB on laptop+250GB external
Display(s)	ASUS 15.4
Case	Asus Laptop F3Ka chassis
Audio Device(s)	on-board
Power Supply	1:30minutes battery
Software	"genui xp", 'cause i hated vista

System Name	Pandemic 2020
Processor	AMD Ryzen 5 "Gen 2" 2600X
Motherboard	AsRock X470 Killer Promontory
Cooling	CoolerMaster 240 RGB Master Cooler (Newegg Eggxpert)
Memory	32 GB Geil EVO Portenza DDR4 3200 MHz
Video Card(s)	ASUS Radeon RX 580 DirectX 12 DUAL-RX580-O8G 8GB 256-Bit GDDR5 HDCP Ready CrossFireX Support Video C
Storage	WD 250 M.2, Corsair P500 M.2, OCZ Trion 500, WD Black 1TB, Assorted others.
Display(s)	ASUS MG24UQ Gaming Monitor - 23.6" 4K UHD (3840x2160) , IPS, Adaptive Sync, DisplayWidget
Case	Fractal Define R6 C
Audio Device(s)	Realtek 5.1 Onboard
Power Supply	Corsair RMX 850 Platinum PSU (Newegg Eggxpert)
Mouse	Razer Death Adder
Keyboard	Corsair K95 Mechanical & Corsair K65 Wired, Wireless, Bluetooth)
Software	Windows 10 Pro x64

System Name	Little Bear
Processor	Inten 3770K @4.4Ghz 1.2v
Motherboard	ASRock Extreme4-M
Cooling	Thermalright Macho120 Rev.A
Memory	4x4GB Samsung LP DDR3 @ 1866MHz 9-9-9-28
Video Card(s)	Radeon R9 290
Storage	256GB Samsung SSD 830 + 1TB SSD 840 EVO + 2.5in 1TB Hitachi
Display(s)	Dell U2711
Case	Silverstong SG10
Audio Device(s)	USB SB Omni
Power Supply	Enermax Modu 82+ 620w
Software	Windows 8.1 x64