Someone exploited an XSS vulnerability in Google Groups to run a script that obtains your Gmail contact list and does anything with it.
While the post insists on the Gmail contact list, I think the main problem is in Google Groups.
Note: the post actually contains a proof of concept.
http://mybeni.rootzilla.de/mybeNi/2007/gmail_information_disclosure/ |
It seems to be the same hack used by Haochi at the begining of the year |
Not quite. Haochi used the JS output directly. This time, they used the XML + a Google Groups flaw in parsing URLs. |
And the flaw is still there. Google Security team is on holiday? |