Google Blogoscoped

Monday, January 1, 2007

Gmail Cross-site Scripting Vulnerability

Haochi Chen discovered what looks like a Gmail XSS (cross-site scripting) security problem. Using a small piece of JavaScript you can put on any server, the user’s contact names & email addresses are revealed (provided you’re logged in to your Google account). I was able to reproduce this using Firefox, and an updated version of the original snippet. With Haochi’s code, a malicious website would be able to grab your contact list and transmit it to their server behind the scenes, storing this data for other purposes – like spamming, or finding out more about you.

The cat’s already out of the bag in several places, but I won’t reproduce the JavaScript here. In the meantime, Haochi – who alerted the Google security team yesterday – removed the code sample from his server site. If you’re worried about this Google vulnerability, the best thing until it’s fixed is to only visit sites you know and trust, or to turn off your browser’s JavaScript, or to log out of Gmail.

[Thanks Garett and Haochi!]


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!