Gmail leaves your account open to spammers

Jimmy 2004 · Jan 1, 2007, 11:08 AM

A new flaw has been exposed in Google’s Gmail service which could allow hackers to get hold of your contacts. When you log into your Gmail (Googlemail in some countries) account, Google will put your details into a JavaScript file. Because of this, if you browse other websites whilst logged into your account, any of them could potentially declare the function “google” and be able to get hold of all of your contacts. The only two ways to ensure your privacy is safe are to disable JavaScript in all websites except those you trust or to not browse other sites whilst logged into any Google service. Admittedly Gmail is still only a beta, but a fault like this could be quite serious.

Update: Disabling JavaScript did not solve this problem, however it appears that Google has now fixed this issue and your contacts list should be safe.

Source: Engadget

spectre440 · Jan 1, 2007, 01:04 PM

hopefully google will do the right thing, and plug that hole in their user's security.

peach1971 · Jan 1, 2007, 01:05 PM

Just use Firefox + Add-on NoScript.

Turn on Java to read your mails?
Lol, how far have we gone...

And here another usefull thing:
http://www.customizegoogle.com/

No more annoying ads!

cdawall · Jan 1, 2007, 01:11 PM

wondered how my account got spammed

Atech · Jan 1, 2007, 01:27 PM

Quote:

Originally Posted by peach1971

Turn on Java to read your mails?
Lol, how far have we gone...

This vulnerability has nothing to do with Java.

pt · Jan 1, 2007, 02:12 PM

no spam for me

(i don't have java installed)

peach1971 · Jan 1, 2007, 02:43 PM

Nothing to do with Java?

Quote:

Google will put your details into a JavaScript file. Because of this, if you browse other websites whilst logged into your account, any of them could potentially declare the function “google” and be able to get hold of all of your contacts.

Sorry, I don´t get it, Atech.

Jimmy 2004 · Jan 1, 2007, 03:00 PM

Quote:

Originally Posted by Atech

This vulnerability has nothing to do with Java.

Well, from what I read when posting this story it was a JS (JavaScript) file that causes this problem, and you disable Java to protect yourself so it must link to Java

Atech · Jan 1, 2007, 05:05 PM

Quote:

Originally Posted by Jimmy 2004

Well, from what I read when posting this story it was a JS (JavaScript) file that causes this problem, and you disable Java to protect yourself so it must link to Java

Code:

&lt;script language="javascript">
function getContacts(response){
var output = "";
for(x=0;x&lt;response.Body.Contacts.length;x++){
output += response.Body.Contacts[x].Name + " &lt;" + response.Body.Contacts[x].Email + "> ";
}
alert(output);
}
&lt;/script>

&lt;script language="javascript" xsrc="http://video.google.com/data/contacts?out=js&max=500 &psort=Affinity&callback=getContacts">
&lt;/script>

No calls to the Java API there.

Edit: Gah to having to escape characters within code tags ...

Jimmy 2004 · Jan 1, 2007, 05:09 PM

Quote:

Originally Posted by Atech

No calls to the Java API there.

Whatever the case is, log into your Gmail and click here to see a nice list of your contacts. I'm not sure how a hacker can get hold of this, but I expect it's true. The reason that it may no longer be using Java is because Google claim to have fixed the issue. I'm not expert on Java, I'm just informing people of what I find.

Edit: well I disabled JavaScript and that page still shows my contacts... but Gmail doesn't work. Probably need to clear my cookies ect.

Edit2: Disabling JavaScript does NOT seem to solve this problem, that link still shows my contacts after I have cleared all my internet data with Javascript disabled... and I can't even use the Gmail service!!!

Edit3: Couldn't the line
script language="javascript" xsrc="http://video.google.com/data/contacts?out=js&max=500 &psort=Affinity&callback=getContacts"
be linked to this?

WarEagleAU · Jan 1, 2007, 08:03 PM

Good thing I dont use Gmail, too hard to get one anywho.

mout12 · Jan 1, 2007, 08:07 PM

Quote:

Originally Posted by WarEagleAU

Good thing I dont use Gmail, too hard to get one anywho.

no. Go to mail.google.com, click 'SIGN UP', then enter your mobile phone number, and they'll send you a password via text message to your phone number. you'll have an account.

Namslas90 · Jan 1, 2007, 08:35 PM

Just proves that you can't rely on anyone to secure your PC, but yourself!

cdawall · Jan 1, 2007, 09:17 PM

Quote:

Originally Posted by WarEagleAU

Good thing I dont use Gmail, too hard to get one anywho.

whats your email i have some signups left

pt · Jan 1, 2007, 09:20 PM

i have 99, anyone wants

?

Bull Dog · Jan 1, 2007, 09:28 PM

Quote:

Originally Posted by Jimmy 2004

Whatever the case is, log into your Gmail and click here to see a nice list of your contacts. I'm not sure how a hacker can get hold of this, but I expect it's true. The reason that it may no longer be using Java is because Google claim to have fixed the issue. I'm not expert on Java, I'm just informing people of what I find.
...snip.

That link doesn't work for me.....meaning that when I am logged into my Gmail acct, and when I click on the link all I get is this:
google ({
Success: false,
Errors: []
})

Using FireFox.

Jimmy 2004 · Jan 1, 2007, 09:53 PM

Quote:

Originally Posted by Bull Dog

That link doesn't work for me.....meaning that when I am logged into my Gmail acct, and when I click on the link all I get is this:
google ({
Success: false,
Errors: []
})

Using FireFox.

Me too, I think they must've fixed it. I've updated the newspost again.

When I clicked that link earlier it would bring up a list in which you could find any info about your contacts you had saved.

Jan 1, 2007, 11:08 AM	#1
Jimmy 2004 Eligible for custom title Join Date: Jan 2005 Location: England Posts: 5,047 (1.66/day) Thanks: 134 Thanked 276 Times in 185 Posts System Specs	Gmail leaves your account open to spammers A new flaw has been exposed in Google’s Gmail service which could allow hackers to get hold of your contacts. When you log into your Gmail (Googlemail in some countries) account, Google will put your details into a JavaScript file. Because of this, if you browse other websites whilst logged into your account, any of them could potentially declare the function “google” and be able to get hold of all of your contacts. The only two ways to ensure your privacy is safe are to disable JavaScript in all websites except those you trust or to not browse other sites whilst logged into any Google service. Admittedly Gmail is still only a beta, but a fault like this could be quite serious. Update: Disabling JavaScript did not solve this problem, however it appears that Google has now fixed this issue and your contacts list should be safe. Source: Engadget Last edited by Jimmy 2004; Jan 1, 2007 at 09:55 PM.

System Name:	Jimmy 2004's PC
Processor:	S754 AMD Athlon64 3200+ @ 2640MHz
Motherboard:	ASUS K8N
Cooling:	AC Freezer 64 Pro + Zalman VF1000 + 5x120mm Antec TriCool Case Fans
Memory:	1GB Kingston PC3200 (2x512MB)
Video Card:	Saphire 256MB X800 GTO @ 450MHz/560MHz (Core/Memory)
Hard Disk:	500GB Western Digital SATA II + 80GB Maxtor DiamondMax SATA
Optical Drive:	LiteOn DVD & NEC DVD+/-RW DL
CRT/LCD Model:	Digimate 17" TFT (1280x1024)
Case:	Antec P182
Sound Card:	Audigy 4 + Creative Inspire T7900 7.1 Speakers
PSU:	Corsair HX520W
Software:	Windows XP Home

Jan 1, 2007, 01:04 PM	#2
spectre440 Join Date: Jul 2005 Location: Israel Posts: 739 (0.26/day) Thanks: 8 Thanked 15 Times in 13 Posts System Specs	hopefully google will do the right thing, and plug that hole in their user's security. __________________ “I hate to advocate drugs, alcohol, violence, or insanity to anyone, but they've always worked for me.” - Hunter S. Thompson

Processor:	Athlon 64 x2 4000+ (65nm Brisbane)
Motherboard:	Abit AN-M2 (AM2) nForce 630a
Cooling:	Stock everything (for the time being), 2x120mm fans (intake & exhaust)
Memory:	2GB (2x1024) OCZ Platinum PC2-6400 (4-4-4-15, 2T)
Video Card:	PowerColor ATI HD 2600XT 256mb GDDR4 PCI-e
Hard Disk:	Hitachi Deskstar 160GB SATA 3.0G/s, External USB2.0 WD 160GB
Optical Drive:	Pioneer DVR-212D
CRT/LCD Model:	LG 17' LCD (L1753TR)
Case:	HEC-Compucase 6A, black & grey
Sound Card:	On-Board 7.1 (realtek)
PSU:	Spire Zeno 650W
Software:	WinXP Pro SP2 (32-bit, for the time being)

Processor:	AMD Phenom II X2 550 @3600MHz (VCore -0.05V)
Motherboard:	Gigabyte MA-780G-DS3H (AMD SB700), BIOS: 04/14/09
Cooling:	Scythe Samurai cooled by 2x Enermax Warp 80mm ~700 RPM
Memory:	2x 1GB GeIL Ultra DDR2-800 @1066 CL4-5-5-15 2T
Video Card:	MSI R4830 OC (HD4830)
Hard Disk:	Samsung 400 GB S-ATA, WD 400GB S-ATA
Optical Drive:	Lite-on DVD ROM
CRT/LCD Model:	Samsung 2433BW 1920 x 1200 Pixel (16:10)
Case:	timeless office tower ;)
Sound Card:	Asus Xonar D1
PSU:	be quiet! Straight Power BQT E7-400W
Software:	Windows XP Pro 32bit

Jan 1, 2007, 01:05 PM	#3
peach1971 Join Date: Oct 2006 Location: Germany Posts: 504 (0.21/day) Thanks: 104 Thanked 47 Times in 42 Posts System Specs	Just use Firefox + Add-on NoScript. Turn on Java to read your mails? Lol, how far have we gone... And here another usefull thing: http://www.customizegoogle.com/ No more annoying ads!

Jan 1, 2007, 01:11 PM	#4
cdawall where the hell are my stars Join Date: Jul 2006 Location: some AF base Posts: 16,021 (6.43/day) Thanks: 457 Thanked 2,753 Times in 2,222 Posts System Specs	wondered how my account got spammed __________________

System Name:	Deployment build
Processor:	Phenom II B97@4080mhz 1.6v (24/7 4800mhz max clock)
Motherboard:	Asus Crosshair V Formula
Cooling:	Coolermaster V10 96w TEC, Scientific Rulian fans
Memory:	4x4GB Wintec ONE 1800 9-10-9 1.62v (24/7)
Video Card:	Sapphire 7950 3GB 1150/1400 1.27v
Hard Disk:	2x32GB STT SSD's raid 0, 1TB Samsung F3's, 1.5TB Seagate 7200.11
CRT/LCD Model:	STi 22"
Case:	Thermaltake Commandar MS-I Epic Edition
Sound Card:	E07K USB DAC->Fischer FA-002W High edition
PSU:	Antec TPQ-1200
Software:	windows 7 ultimate x64

Processor:	Kentsfield Q6600 @ 2.8GHz "I eat source code before breakfast"
Motherboard:	Asus Striker Extreme 680i (NB:C55XE, SB:MCP55XE)
Cooling:	Zalman 9700, 1200mm fan, 5120mm fans
Memory:	8GB OCZ PC6400 - 4*2 @ 622MHz (stability problems)
Video Card:	Geforce 8800GTS
Hard Disk:	2* Seagate Barracuda 7200.10 320GB - no RAID
Optical Drive:	Samsung Writemaster SATA DVD+-RW/RAM
CRT/LCD Model:	Mitsubishi Diamond Plus 74SB
Case:	Antec Nine Hundred + optional fans
Sound Card:	On board (sort of - SupremeFX ADI 1988B)
PSU:	Corsair HW 620w
Software:	Gentoo GNU+Linux amd64 (latest development kernel)

Jan 1, 2007, 02:12 PM	#6
pt not a suicide-bomber Join Date: Mar 2006 Location: Portugal Posts: 5,877 (2.24/day) Thanks: 106 Thanked 219 Times in 193 Posts System Specs	no spam for me (i don't have java installed) __________________ [img disabled]http://apax.eveonlinekb.com/?a=sig&i=39051&s=zealot[/img]

Processor:	AMD Turion 64 X2 Mobile TL-60 (Trinidad)
Motherboard:	ASUS F3Ka (ATI RS690M)
Cooling:	stock
Memory:	Nanya 2x1GB ddr2 667@5-5-5-15-2T
Video Card:	ATI Mobility Radeon HD2600 512MB DDR2@ 580mhz/486mhz
Hard Disk:	160GB on laptop+250GB external
Optical Drive:	DVD RW
CRT/LCD Model:	ASUS 15.4
Case:	Asus Laptop F3Ka chassis
Sound Card:	on-board
PSU:	1:30minutes battery
Software:	"genui xp", 'cause i hated vista

Jan 1, 2007, 08:03 PM	#11
WarEagleAU Bird of Prey Join Date: Jul 2006 Location: Gurley, AL Posts: 9,994 (3.99/day) Thanks: 3,810 Thanked 557 Times in 521 Posts System Specs	Good thing I dont use Gmail, too hard to get one anywho. __________________ =-TheEagle-= http://www.heatware.com/eval.php?id=62454 “You crazy? Surfing any website without an antivirus is like freaking with a dirty woman without protection” -OzzmanFloyd120 - Edited for content and clarity

System Name:	Boddha Getta
Processor:	AMD FX 6100 @ 4.432Ghz @1.401V
Motherboard:	ASUS M5A99X EVO AMD 990X AMD SB950
Cooling:	Custom Water. EK 240MM Kit, Supreme HSF - Runs 35C
Memory:	2 x 4GB Corsair Vengeance White LP @ 1.35V
Video Card:	XFX Radeon HD 6870 900/1050 (no OC yet)
Hard Disk:	WD Caviar Black 1.0TB, WD Caviar Green 1.0TB, WD 160GB
Optical Drive:	Samung SH22SL 22X Lightscribe DVD+/-R/RW LG BDRE Reader/Burner Lite ON Max Burner for burning Xbox
CRT/LCD Model:	Asus VH222/S 22: (21.5" Viewable) 1920x1080p HDMI LCD Monitor
Case:	NZXT White Phantom
Sound Card:	Onboard Realtek 5.1
PSU:	NZXT Hale 90 Gold Cert 750W Modular PSU
Software:	Windows 7 Pro 64 bit.
Benchmarks:	5.9 Windows Index rating 3D06 - 17472

Processor:	AMD 64 X2 4400+
Motherboard:	Abit AN8 SLI Fatal1ty
Cooling:	Fans
Memory:	2GB Corsair
Video Card:	7950GX2
Hard Disk:	WD 74GB 10,000 RPM X2 Raid:0
Optical Drive:	DVD-RW
CRT/LCD Model:	2007WFP 20.1-inch Widescreen
Sound Card:	Fatal1ty Creative X-Fi
PSU:	800W
Software:	Fruity Loops

Jan 1, 2007, 08:35 PM	#13
Namslas90 Join Date: Aug 2006 Location: Earth Posts: 3,908 (1.59/day) Thanks: 107 Thanked 577 Times in 533 Posts System Specs	Just proves that you can't rely on anyone to secure your PC, but yourself! __________________

Processor:	AMD PII 940
Motherboard:	Biostar TA790GXB3
Cooling:	Custom Air
Memory:	4GB G.SKILL (2x2)
Video Card:	ASUS Radeon HD 5970
Hard Disk:	2X32GB ST SSd R0 + WD500GB storage
Optical Drive:	22x DVD/CD combo R+/W+
CRT/LCD Model:	Asus 22" Widescreen
Case:	Thermaltake V9 BE
PSU:	PCP&C 750 Silencer

Jan 1, 2007, 09:20 PM	#15
pt not a suicide-bomber Join Date: Mar 2006 Location: Portugal Posts: 5,877 (2.24/day) Thanks: 106 Thanked 219 Times in 193 Posts System Specs	i have 99, anyone wants ? __________________ [img disabled]http://apax.eveonlinekb.com/?a=sig&i=39051&s=zealot[/img]

Processor:	AMD Phenom II 980 @3.9Ghz, 1.4v
Motherboard:	ASRock 790GX
Cooling:	IFX14 + 120x38mm Ultra Speed Panaflo
Memory:	4x 2GB G-Skill DDR2 @ 480MHz 5-5-5-15 2T
Video Card:	Radeon 7970 1000Mhz/1100Mhz
Hard Disk:	128GB Samsung SSD 830 + 2TB Hitachi
Optical Drive:	Asus DVD+DL
CRT/LCD Model:	Dell U2711
Case:	Cooler Master Centurion 590
Sound Card:	PCI-e X-Fi with 64MB of x-ram
PSU:	Enermax Modu 82+ 620w
Software:	Windows 7 x64

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)