Gmail Vulnerable to Contact List Hijacking

Using a form of cross scripting, it becomes easy to steal a Gmail user’s contact list if they visit a certain type of website. The only condition is you have to be logged in to Gmail at the time of the attack. Gmail is setup to store your contact list in javascript files, which is the core problem. If you log into your Gmail account and click here, you’ll see your contact’s details, along with their email. I’ve tried the hack on IE7, Opera, and Firefox; it appears to be working on all three. To see a demonstration of the attack, login to your Gmail account and go to this website. I don’t know for sure if the list is being saved or not, so browse at your own risk. According to the website, they aren’t saving the data.

Something worth noting is that the email it claims is yours, is never yours. I tried it on two different emails, and it failed both times. However both times it listed the address I get email from most as mine. Also in the image I’ve included, shows 23 contacts when it did indeed list all 200 or so.

This has been a problem before for Gmail, and more details about the previous attacks can be found here. I guess this is why they keep the service in beta.

Credit for this exploit goes to Googlified

Update 1
The code for the exploit can be found here. The original demonstration last night was in fact not malicious, so your contacts are safe.