Comments on: GMail’s Flaw Is Now Fixed http://www.cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/ Computer related blog Wed, 20 Aug 2008 17:46:41 +0000 http://wordpress.org/?v=2.6 By: Alex Bailey http://www.cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5514 Alex Bailey Tue, 02 Jan 2007 22:07:31 +0000 http://cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5514 [quote comment="5474"]The bug has NOT been fixed..Try checking the same URL with the out param modified http://docs.google.com/data/contacts?out=xml&show=ALL&psort=Affinity&callback=google&max=99999 now your address book comes out in a xml format..[/quote] The output is XML. You can't declare the function "google" with XML. [quote] It is upsetting that some people(not us) feel the need to hack into other people’s accounts. [/quote] Had nothing to do with getting into people's accounts. It was to steal their contact list. [quote comment="5474"]The bug has NOT been fixed..Try checking the same URL with the out param modified

docs.googl...;max=99999

now your address book comes out in a xml format..[/quote]

The output is XML. You can’t declare the function “google” with XML.

[quote]
It is upsetting that some people(not us) feel the need to hack into other people’s accounts.
[/quote]
Had nothing to do with getting into people’s accounts. It was to steal their contact list.

]]> By: jim http://www.cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5512 jim Tue, 02 Jan 2007 21:37:54 +0000 http://cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5512 It is upsetting that some people(not us) feel the need to hack into other people's accounts. It is upsetting that some people(not us) feel the need to hack into other people’s accounts.

]]> By: specialk http://www.cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5501 specialk Tue, 02 Jan 2007 17:15:15 +0000 http://cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5501 Yeah, Google needs to get on this quickly. The exploit is still going strong and now the little guys (spammers and hackers) will now have plenty more people to send kind New Years greetings! Fix It Google! -specialk Yeah, Google needs to get on this quickly. The exploit is still going strong and now the little guys (spammers and hackers) will now have plenty more people to send kind New Years greetings!

Fix It Google!

-specialk

]]> By: Jordan http://www.cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5499 Jordan Tue, 02 Jan 2007 15:51:52 +0000 http://cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5499 But if the output comes back in XML format how do you get the exploit to still work? You won't be able to access the script content because of the browser's cross-domain policies, right? The only reason you could before was because it was loaded as javascript. Or am I misunderstanding? I'm pretty sure this is why folks use JSON and cross-domain proxies But if the output comes back in XML format how do you get the exploit to still work? You won’t be able to access the script content because of the browser’s cross-domain policies, right? The only reason you could before was because it was loaded as javascript. Or am I misunderstanding? I’m pretty sure this is why folks use JSON and cross-domain proxies

]]> By: z http://www.cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5492 z Tue, 02 Jan 2007 13:42:15 +0000 http://cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5492 Unless I'm mistaken this is just a page that returns some XML. Since it's not returning javasript you can't include it in your page header. So problem solved. Unless I’m mistaken this is just a page that returns some XML. Since it’s not returning javasript you can’t include it in your page header. So problem solved.

]]> By: nikolai http://www.cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5485 nikolai Tue, 02 Jan 2007 11:46:24 +0000 http://cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5485 No, you were right the first time. The XML output can't be exploited No, you were right the first time. The XML output can’t be exploited

]]> By: Gent http://www.cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5478 Gent Tue, 02 Jan 2007 10:13:35 +0000 http://cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5478 th0r is right, exploit still works. th0r is right, exploit still works.

]]> By: th0r http://www.cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5474 th0r Tue, 02 Jan 2007 08:19:57 +0000 http://cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5474 The bug has NOT been fixed..Try checking the same URL with the out param modified http://docs.google.com/data/contacts?out=xml&show=ALL&psort=Affinity&callback=google&max=99999 now your address book comes out in a xml format.. The bug has NOT been fixed..Try checking the same URL with the out param modified

docs.googl...;max=99999

now your address book comes out in a xml format..

]]> By: Jake http://www.cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5470 Jake Tue, 02 Jan 2007 06:11:55 +0000 http://cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5470 I'm not clear on how we know the bug is fixed. Couldn't they have just blocked calls from the specific websites that were running the demo exploit? Is there independent verification? I’m not clear on how we know the bug is fixed. Couldn’t they have just blocked calls from the specific websites that were running the demo exploit? Is there independent verification?

]]> By: YesThatTom http://www.cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5467 YesThatTom Tue, 02 Jan 2007 05:11:32 +0000 http://cyber-knowledge.net/blog/2007/01/02/gmails-flaw-is-now-fixed/#comment-5467 Imagine if this was an Outlook bug. It would have taken months (years?) for everyone to upgrade to the latest patch. Imagine if this was an Outlook bug. It would have taken months (years?) for everyone to upgrade to the latest patch.

]]>