Using a form of cross scripting, it becomes easy to steal a GMail user抯 contact list if they
visit a certain type of website. The only condition is you have to be logged in to GMail at the
time of the attack. GMail is setup to store your contact list in javascript files, which is the
core problem. If you log into your GMail account, and click here -
http://docs.google.com/data/contacts?out=js&show=ALL&psort=Affinity&callback=google&max=99999
you抣l see your contact抯 details, along with their email. I've tried the hack on IE7, Opera, and
Firefox; it appears to be working on all three. To see a demonstration of the attack, login to
your GMail account and go to this website -
http://googlified.com.googlepages.com/contactlist.htm
I don抰 know for sure if the list is being saved or not, so browse at your own risk. According to
the website they aren抰 saving the data.
Something worth noting is that the email it claims is yours, is never yours. I tried it on two
中国网管论坛bbs.bitsCN.com
different emails, and it failed both times. However both times it listed the address I get email
from most as mine. Also in the image I've included, shows 23 contacts when it did indeed list all
200 or so.
This has been a problem before for GMail, and more details about the previous attacks can be found
here. I guess this is why they keep the service in beta.
more @ source.
评论加载中…
