CyberKnowledge Technology Blog

Everything tech – reviews, tips, software, news

All tech all the time

Welcome to CyberKnowledge technology blog.

GMail’s Flaw Is Now Fixed

Posted by Alex Bailey On January - 2 - 2007

Gmail LogoEarlier I reported that Google had a flaw in which it stores contact details in a JavaScript file on their server. A website could in return declare the function “google”, and put all your contacts and their details into an array. From there it could have been parsed and sent to the malicious server using Ajax. Earlier today there were reports on zdnet that said the flaw was fixed, however at the time it wasn’t true. Currently as of 8 PM EST the flaw has been fixed. When attempting to execute the attack, all you get is a blank page now. Visiting the old page on Google that revealed all the data in an XML file now gives an error:

google ({
Success: false,
Errors: []
})

If you’re visiting the page and it still give your contact’s information, you need to log out of all Google services, and then log back in. Doing so will now result in the error. However the exploit will fail to work despite the fact that you haven’t logged out.

You have to give credit for them fixing the flaw on New Year’s Day in under 24 hours.

Note
The link to the XML file on Google’s server isn’t exploitable. The hack worked using JavaScript, and the file that used JavaScript is now giving an error. The XML file can’t be used to exploit GMail.


10 Responses to “GMail’s Flaw Is Now Fixed”

  1. YesThatTom says:

    Imagine if this was an Outlook bug. It would have taken months (years?) for everyone to upgrade to the latest patch.

  2. Jake says:

    I’m not clear on how we know the bug is fixed. Couldn’t they have just blocked calls from the specific websites that were running the demo exploit? Is there independent verification?

  3. th0r says:

    The bug has NOT been fixed..Try checking the same URL with the out param modified

    docs.googl...;max=99999

    now your address book comes out in a xml format..

  4. Gent says:

    th0r is right, exploit still works.

  5. nikolai says:

    No, you were right the first time. The XML output can’t be exploited

  6. z says:

    Unless I’m mistaken this is just a page that returns some XML. Since it’s not returning javasript you can’t include it in your page header. So problem solved.

  7. Jordan says:

    But if the output comes back in XML format how do you get the exploit to still work? You won’t be able to access the script content because of the browser’s cross-domain policies, right? The only reason you could before was because it was loaded as javascript. Or am I misunderstanding? I’m pretty sure this is why folks use JSON and cross-domain proxies

  8. specialk says:

    Yeah, Google needs to get on this quickly. The exploit is still going strong and now the little guys (spammers and hackers) will now have plenty more people to send kind New Years greetings!

    Fix It Google!

    -specialk

  9. jim says:

    It is upsetting that some people(not us) feel the need to hack into other people’s accounts.

  10. Alex Bailey says:

    [quote comment="5474"]The bug has NOT been fixed..Try checking the same URL with the out param modified

    docs.googl...;max=99999

    now your address book comes out in a xml format..[/quote]

    The output is XML. You can’t declare the function “google” with XML.

    [quote]
    It is upsetting that some people(not us) feel the need to hack into other people’s accounts.
    [/quote]
    Had nothing to do with getting into people’s accounts. It was to steal their contact list.

Leave a Reply