Gmail/Google XSS can be used to steal contacts (and the authentication token)
March 15th, 2007 by noam, Filed under: Commentary, Google
A combination of an XSS in Google Group web site, with a “feature” of Google Gmail integration with Google Groups allows an attacker that can trick you into click on a specially crafted URL to steal:
- All Contacts you’ve ever mailed (Name and Email address)
- Your Gmail authentication token
For more details go to this page.
(NOTE The vulnerability still works as of 2007-03-15 16:12 GMT+0)
-
Are you scanning your site for vulnerabilities on a daily basis?
Subscribe
Subscribe
this is one of those unintended consequences of single sign-on and why i dislike the concept so much…
i wrote about this the last time gmail contacts were exposed by a vulnerability back in january and i basically came to the conclusion that people should use one account for their email/IM and a second non-gmail-related google account for all of google’s other offerings so that people are far less likely to be logged into gmail (and therefore exposing their contact) all the time…