Gmail/Google XSS can be used to steal contacts (and the authentication token)

A combination of an XSS in Google Group web site, with a “feature” of Google Gmail integration with Google Groups allows an attacker that can trick you into click on a specially crafted URL to steal:

  • All Contacts you’ve ever mailed (Name and Email address)
  • Your Gmail authentication token

For more details go to this page.
(NOTE The vulnerability still works as of 2007-03-15 16:12 GMT+0)

  • kurt wismer

    this is one of those unintended consequences of single sign-on and why i dislike the concept so much…

    i wrote about this the last time gmail contacts were exposed by a vulnerability back in january and i basically came to the conclusion that people should use one account for their email/IM and a second non-gmail-related google account for all of google’s other offerings so that people are far less likely to be logged into gmail (and therefore exposing their contact) all the time…