Follow Up on the GMail Bug
Google January 1st, 2007 - By HaochiUPDATE: Attention! The bug is not yet fixed!
Another Update: Seems to be fixed for now…
Two days ago, “Google Video New Feature: Pick People to Email“, as I mentioned, the feature “could be dangerous”. After messing a few lines of code yesterday morning, I proved to myself to be right, the feature is indeed dangerous. So I sent an email to the Google Security team and the GMail team. As usual, they have sent me back an auto-response email.
Last night, a story called “GMail Hacked: Visit ANY Website, and Your Whole Contact List Can be Stolen” got on Digg’s home page, and about the same time, the story was picked up and submitted to Slashdot. This has grabbed Google attention, later this morning, they issued a few fixes, but not enough, the bug still can be use by malicious site.
Finally, about an hour ago or so, Google has patched the vulnerability, thoroughly, as far as I can tell. That’s like thirty hours after I notify the Google Security team. It’s new year, people.
Well, the bug has been fixed, but I guess some people will still have questions about it, here are some FAQs. (Questions are from the Digg and Slashdot comments)
- Zaphod-AVA asked, “So is this a Firefox, Gmail, or javascript vulnerability?” - Gmail’s, or you can say, Google’s, if you like that better.
- Neuros said, “it incorrectly identified me, too. thought I was my own mother. that… would be a little too weird for me.” - Haha, that’s my fault. :) Looks like you have email your mother a lot.
- HaxityHaxHaxed exclaimed, “The source was the malicious content!” - I am not going to blame you for thinking of that, the script was “encoded”, but if you take a few seconds look at the clear code which you can obtain by using a Firefox built-in feature, “View Selection Source”, you will find that the code is not malicious - it does nothing but displaying your friends’ emails to you.
- Kuza55, “You know, the funny thing is you can decode that in seconds using the Web Developer toolbar, and I’m sure he spent at least a good 5-10 minutes or so encoding it……” - Yes, I actually spent a few good minute to encode it, and I knew that you are able to use the Web Developer toolbar to see the code, but there are some people who don’t. By the way, thanks for clarifying about the code for me. :)
- Yazoo, “I’m not even logged in GMAIL and it still works!!! Try it for yourself. Where’s it getting the list from?” - If you have share a GMail account with other Google services, such as Blogger, Orkut, Google Docs & Spreadsheets, you will be automatically log into Gmail.
There are just too much question to be answered, so if you have one, feel free to leave a comment here, I will answer them one by one ASAP. Kazad, a commenter on Slashdot, has a great explanation on this one, you should take a look. :)
Last thing that I want to say is that Google shouldn’t include the “callback” parameter when using letting client side call for JSON, especially when it contains such important information (email addresses, and possibly phone numbers, address, and names). I don’t know the code that Google is using the pass these information, but in many cases, disabling the callback parameter should work well.
Happy New Year. :)
UPDATE: Forgot to mention that Google didn’t threaten me. This is a really popular question. :)
January 1st, 2007 at 6:47 pm
Haochi IS the boss! ;)
PS : “Well, the bug, has been fixed” > fixed? Really? ;-)
January 1st, 2007 at 6:57 pm
Okay. It didn’t. Err
January 2nd, 2007 at 11:27 am
Has this flaw really been fixed or does it just require the exploiting code to be modified? Is the following blog post correct in saying that the contact list is still available in XML format? Is the XML accessible to a script running in the context of a non-Google domain? If all a script can do is display the contact list in the user’s browser, that’s not a problem. But if it can transmit it to a non-Google web site, that’s a problem. I wish I knew more about javascript so I could determine the answer myself. Very frustrating.
http://browserden.co.uk/blog/2007/01/02/google-fixes-contact-list-flaw/
January 2nd, 2007 at 1:22 pm
I believe it is fixed now. The issue was that multiple properties had to incorporate the fix. My guess is that someone will post about it in more detail in a while, but I wanted to stop by and say thanks to Haochi for pointing this out.
January 2nd, 2007 at 3:31 pm
@Andrew
For what I know, XML can only be pass on the same domain. You can read more about this on Wikipedia here.
@Matt
Thanks for the heads up. :)
January 3rd, 2007 at 5:59 am
Hi Chen,
I have another Gmail bug for you. I have an account rafael.farias@gmail.com and another people in my country create a account rafaela.farias@gmail.com
The problem is: i receive all rafaela’s e-mail’s and she receive my e-mail’s
I never see that kind of bug before. Hey google! No donut for you!
regards,
Rafael.
January 3rd, 2007 at 12:58 pm
That’s why I get since 1 week spam…
January 3rd, 2007 at 4:06 pm
From discovering the bug to having it fixed is like 3-4 days of time, where does one week come from?
January 3rd, 2007 at 4:16 pm
@Rafael
I think I have answered the question over at the Google Blogoscoped forum, you can find my answer here. (I was actually the first one to answer the question)
January 4th, 2007 at 5:58 am
The Spam started coming about a week ago, before i never recieved any
February 6th, 2007 at 2:03 am
Hello,
I didnt know where to post about gmail bugs or shortcommings..
so i am just posting it here….
the problem is with gmail notifier and google talk…
for example if have created specific tags and if those tags get new email….neither of these softwares notifies any new acitivity in those tags…they just specify about inbox(main folder) mails…
yeaup..thats it :) peace out :)
February 6th, 2007 at 10:48 pm
Google Talk and Gmail Notifier are buggy… We shall forgive them…
June 14th, 2007 at 4:09 am
This one makes sence “One’s first step in wisdom is to kuesstion everything - and one’s last is to come to terms with everything.”
September 23rd, 2007 at 2:00 pm
can we able to hack g mail if yes than how? please tell me
October 26th, 2007 at 9:04 am
1) Open Internet Explorer type http://www.gmail.com
2) Login to your personal Account ex. xyz@gmail.com
3) Open Another window of IE type http://www.gmail.com
4) see the bug ( xyz@gmail.com ) automatically opened.
Same bug issue for the logout.
If we logout orkut account It will logout gmail account when we visit it on same browser.
October 26th, 2007 at 9:37 am
@Ghanshyam
That’s completely normal for IE.
November 9th, 2007 at 2:24 am
sum 1 has hacked my gmail account and has changed the password and also the security question. i have not provided the secondary or alternate email address plz try to recover my old gmail aacount plz help i have lots of data to recover from it mail me on my id kinjal_malde009@yahoo.com my gmail hacked id is kinjal.oswal009@gmail.com
thnk u
January 17th, 2008 at 2:09 pm
Hey, I have the exact same problem as rafael. My email id is somename@gmail.com (somename is just an example, my actual id is something else) Recently, some other guy created a Gmail account like somename28@gmail.com Now, since he created this account, my inbox keeps getting emails from all the people as well as some social networking sites which were intended for this other guy. By no means these are typos, since I cross-checked with the mail headers and they read “somename28@gmail.com” in the To address. To double-verify this bug, I opened my other mail account and sent an email to somename28@gmail.com and no other recipient, either in To or CC or BCC. Surprisingly, I also received this test mail in my somename@gmai.com inbox. And probably the other guy didn’t receive it, since I never got a reply in my alternative account.
This is a very very serious bug with gmail and imagine what would happen to the users’ privacy if other people kept receiving their mails!
I also reported this but to Google Support, but never got a reply from them.
I hope this is not too common, and if it is, Google will take care of this asap.
January 19th, 2008 at 9:26 pm
Hello,
I’m German national and a gmail user… - without technical knowledge
I urgently need help with a similiar problem. CONTACT DATA IS ACCESSED in my gmail account.
I always clear my folder “temporary internet files”. By chance I realised 2 days ago that there was a cookie in which the mail id of an acquaintance was part of. This was an email id which I myself haven’t used for 3 years.
It was clear for me that my account is spyed out. I observed the cookies after each log-in and it happened with 5 other addresses now: all of them were part of a cookie. None of the addresses (part of a contact list with 300 mail ids) I myself have used since years!
There is also an authentication cookie which looks like a program file and which was never there before during all the years I used gmail.
Furthermore there are cookies with question marks and squares.
Please help me!!! I don’t know what to do.
January 20th, 2008 at 10:39 am
@please help!
Well, simply clearing out the temporary internet files folder doesn’t delete all your online records, such as the cookies. There are different ways to delete your cookies, but it’s different from browser to browser (it’s quite simple though). You might want to look up “delete cookies” on Google.
January 21st, 2008 at 11:02 am
Thanks for your reply, Haochi.
My fear is: The cookie was induced by someone else’s action (not mine). Like I told you: It happened with contact data which I didn’t use for years. Therefore I conclude that the contact information is illegally accessed/read by someone else. Am I right?
March 5th, 2008 at 11:59 pm
Hi,
1> I have an account with name “saurabhravi@gmail.com”.
2> Any other person have login account as “saurabh.ravi@gmail.com”
3> The problem is all the mails for saurabh.ravi@gmail.com is coimg in my account “saurabhravi@gmail.com”.
4> Even I tried to write any mail or forward it to saurabh.ravi@gmail.com is coimng direct to me.
5> So google is not able to understand the diffrence between saurabhravi@gmail.com and saurabh.ravi@gmail.com?? :)
April 17th, 2008 at 5:59 am
Hi,
1> I have an account with name “bhaskar.net@gmail.com”.
2> Any other person have login account “bhaskarnet@gmail.com” (without ‘.’)
3> Iam getting mails with bhaskar.net@gmail.com and also bhaskarnet@gmail.com
4>this problem is not yet fixed.
May 2nd, 2008 at 3:00 am
How Google fixed it? I am not asking for anybody else’s ideal, suggestion, or solution, but the very solution by Google.