In late December 2006, a somewhat serious security flaw in Google Mail (GMail) was uncovered. Specifically, when a user is logged into GMail in one browser window or tab, any other site you visit could grab their entire contact list. Whether that is a serious leak or not is a matter of perspective. Certainly, it exposes all of their contacts of even more spam than they already receive. The bug received coverage on Slashdot, Engadget, and other web sites that cover technological matters.

The bug arises from the way in which GMail stores your contacts as a JavaScript file that can be requested by other websites. Google initially claimed to have fixed the bug, but a script linked on several sites showed that to be false. As of January 2nd, however, the hole appeared to have been plugged..

Plausible attacks

A site that wanted to be really sneaky could exploit this information in many ways. At the very least, it could be used to very easily identify many of the people who are visiting. Knowing someone’s contact list might help in the launching of phishing attacks. It could, for example, make it easier to work out what company someone works for. You could then find out who does their information technology and send spoofed emails that seem to come from the IT department, asking for passwords or other sensitive information.

If it is a site that contains content that many people would not want others to know that they view, it could grab the email addresses for people with the same last name as you and threaten to send them information on your surfing history. A less complicated ploy would be to use emails that seem to come from people who you know to get through spam filters. Because of email spoofing, it is very easy to make messages seem to be coming from someone else.

Implications

While not enormously serious in itself, the bug does raise questions about GMail and similar services in general. The sheer amount of information they contain makes any vulnerability uncovered concerning, especially since much of that material is confidential or highly private.


This node is also an entry on my blog, where there are links to related materials: http://www.sindark.com/2007/01/01/gmail-security-hole/