• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

Gmail leaves your account open to spammers

Jimmy 2004

Jimmy 2004

New Member
Joined
Jan 15, 2005
Messages
5,458 (0.73/day)
Location
England
System Specs
System Name Jimmy 2004's PC
Processor S754 AMD Athlon64 3200+ @ 2640MHz
Motherboard ASUS K8N
Cooling AC Freezer 64 Pro + Zalman VF1000 + 5x120mm Antec TriCool Case Fans
Memory 1GB Kingston PC3200 (2x512MB)
Video Card(s) Saphire 256MB X800 GTO @ 450MHz/560MHz (Core/Memory)
Storage 500GB Western Digital SATA II + 80GB Maxtor DiamondMax SATA
Display(s) Digimate 17" TFT (1280x1024)
Case Antec P182
Audio Device(s) Audigy 4 + Creative Inspire T7900 7.1 Speakers
Power Supply Corsair HX520W
Software Windows XP Home
A new flaw has been exposed in Google's Gmail service which could allow hackers to get hold of your contacts. When you log into your Gmail (Googlemail in some countries) account, Google will put your details into a JavaScript file. Because of this, if you browse other websites whilst logged into your account, any of them could potentially declare the function "google" and be able to get hold of all of your contacts. The only two ways to ensure your privacy is safe are to disable JavaScript in all websites except those you trust or to not browse other sites whilst logged into any Google service. Admittedly Gmail is still only a beta, but a fault like this could be quite serious.

Update: Disabling JavaScript did not solve this problem, however it appears that Google has now fixed this issue and your contacts list should be safe.

View at TechPowerUp Main Site
 
Last edited:
hopefully google will do the right thing, and plug that hole in their user's security.
 
Just use Firefox + Add-on NoScript.

Turn on Java to read your mails?
Lol, how far have we gone... :D

And here another usefull thing:
http://www.customizegoogle.com/

No more annoying ads! :D
 
wondered how my account got spammed
 
no spam for me :)
(i don't have java installed)
 
Nothing to do with Java?

Google will put your details into a JavaScript file. Because of this, if you browse other websites whilst logged into your account, any of them could potentially declare the function “google” and be able to get hold of all of your contacts.
Click to expand...

Sorry, I don´t get it, Atech.
 
Atech said:
This vulnerability has nothing to do with Java.
Click to expand...

Well, from what I read when posting this story it was a JS (JavaScript) file that causes this problem, and you disable Java to protect yourself so it must link to Java :confused:
 
Jimmy 2004 said:
Well, from what I read when posting this story it was a JS (JavaScript) file that causes this problem, and you disable Java to protect yourself so it must link to Java :confused:
Click to expand...

Code: 
<script language="javascript">
function getContacts(response){
var output = "";
for(x=0;x<response.Body.Contacts.length;x++){
output += response.Body.Contacts[x].Name + " <" + response.Body.Contacts[x].Email + "> ";
}
alert(output);
}
</script>

<script language="javascript" xsrc="http://video.google.com/data/contacts?out=js&max=500 &psort=Affinity&callback=getContacts">
</script>
No calls to the Java API there.

Edit: Gah to having to escape characters within code tags ...
 
Last edited:
Atech said:
No calls to the Java API there.
Click to expand...


Whatever the case is, log into your Gmail and click here to see a nice list of your contacts. I'm not sure how a hacker can get hold of this, but I expect it's true. The reason that it may no longer be using Java is because Google claim to have fixed the issue. I'm not expert on Java, I'm just informing people of what I find.

Edit: well I disabled JavaScript and that page still shows my contacts... but Gmail doesn't work. Probably need to clear my cookies ect.

Edit2: Disabling JavaScript does NOT seem to solve this problem, that link still shows my contacts after I have cleared all my internet data with Javascript disabled... and I can't even use the Gmail service!!!

Edit3: Couldn't the line
script language="javascript" xsrc="http://video.google.com/data/contacts?out=js&max=500 &psort=Affinity&callback=getContacts"
be linked to this?
 
Last edited:
Good thing I dont use Gmail, too hard to get one anywho.
 
WarEagleAU said:
Good thing I dont use Gmail, too hard to get one anywho.
Click to expand...

no. Go to mail.google.com, click 'SIGN UP', then enter your mobile phone number, and they'll send you a password via text message to your phone number. you'll have an account.
 
Just proves that you can't rely on anyone to secure your PC, but yourself!
 
i have 99, anyone wants :)?
 
Jimmy 2004 said:
Whatever the case is, log into your Gmail and click here to see a nice list of your contacts. I'm not sure how a hacker can get hold of this, but I expect it's true. The reason that it may no longer be using Java is because Google claim to have fixed the issue. I'm not expert on Java, I'm just informing people of what I find.
...snip.
Click to expand...

That link doesn't work for me.....meaning that when I am logged into my Gmail acct, and when I click on the link all I get is this:
google ({
Success: false,
Errors: []
})

Using FireFox.
 
Bull Dog said:
That link doesn't work for me.....meaning that when I am logged into my Gmail acct, and when I click on the link all I get is this:
google ({
Success: false,
Errors: []
})

Using FireFox.
Click to expand...

Me too, I think they must've fixed it. I've updated the newspost again.

When I clicked that link earlier it would bring up a list in which you could find any info about your contacts you had saved.
 
You must log in or register to reply here.
Back
Top