Gmail bug exposes your mail account to spammers
Like your Gmail account? Consider it a sacred place which must be protected from spammers at all cost? Yeah, us too. Well, we hate to break the bad news at the dawn of the new year but there's a weakness in Gmail which exposes your email address to any web site capable of exploiting the bug. As reported on Digg, the exploit takes advantage of the fact that Google puts your details into a JS file. As a result, if you're logged into Gmail and browsing the web, any rogue website can declare the function "google" and then parse all your contacts. The only way to safeguard yourself is to disable Javascript in your browser (or enabled it for trusted sites only) or simply climb into a hole and not browse while logged into Google services like Gmail, Blogger, Orkut, Reader, Calendar, etc. -- you know, the sites you typically have open all day long. For obvious reasons, we will not link directly to the site which demonstrates the exploit on your personal account due to the risk of running possibly malicious code. However, we tested it and found our most precious account -- and those of our contacts -- correctly identified and ready for harvest. But hey, even though Gmail has been out since 2004, it is still "beta"... right?Update 1: There are reports that Google has fixed the issue. Their "fix" is related and with any luck should be applicable. However, it's no fix. Don't believe us? Login to your fave Google service and give this non-malicious link a click.
Update 2: Google seems to have now patched the vulnerability.
Filed under: Misc. Gadgets
Reader Comments (Page 1 of 2)
Will Pillar @ Jan 1st 2007 6:29AM
And I wondered why my Spam box was topping 200 per day.
Its been in BETA too long. And I would have expected more of google then to allow this blatant error.
Furbn @ Jan 1st 2007 6:33AM
It's apparently already fixed.
http://blogs.zdnet.com/Google/?p=434
jon @ Jan 1st 2007 7:53AM
I'm glad its fixed, at least I know that I am not the only one keeping a bunch of Google products open in Firefox all day.
Ed French @ Jan 1st 2007 8:06AM
Not sure what the zdnet reference is, but it isn't fixed yet for me!
Thomas Ricker @ Jan 1st 2007 8:07AM
It is most definitely not fixed. The "fix" mentioned is for "video.google.com" not "docs.google.com"
Thomas
GJ @ Jan 1st 2007 9:17AM
Sure, until this is fixed I will logout when not using gmail. Previous harvesting of gmail is both eerie and inconsistent. Early on I got six gmail accounts which I have not yet used except for a monthly login and out. Names were specifically selected with numbers & punctuation & no vowels. I have a couple of gmail accounts which I use daily and which are recorded in many public places. Result? One of the published accounts and three of the unused accounts get the same rate of spam. The other published account and other three unused accounts get no spam at all.
Adam @ Jan 1st 2007 10:04AM
This happend to my last gmail account my new one got no spam at all
Me @ Jan 1st 2007 10:17AM
Does it really matter how much spam you get? You never have to see it and you don't have to download the extra mail like you would with a normal POP3 account.
Roque Mocan @ Jan 1st 2007 11:18PM
The spam filter may be excellent, but every day I have to wade through all the catched spam to look for false positives... and if there is more spam - even if it is catched - it means more work for me... So, this bug matters to me.
Richard @ Feb 24th 2007 3:29PM
Yes you do have to see it, because googles Spam filtering, like everyone else's is not 100% efficient. I have had to dig out legitimate emails out of my Spam box a few times.
RankSpotDotCom @ Jan 1st 2007 10:37AM
Thanks for pointing to this issue, this explains why gmail’s spam filter algo does outstanding work in detecting spam (99.9%).
Arochone @ Jan 1st 2007 11:04AM
Does it matter? I get 70 spam emails every day. I get about one or two a month that make it past the filters. On most other mail services, it's the other way around!
paul34 @ Jan 1st 2007 11:09AM
Yea. A few weeks ago I suddenly started getting spam in my spam folder... I've never gotten spam in my GMail before. It was disappointed to say the least. I know how about 5-7 spam messages in my GMail account daily. Yea, not exactly hundreds, but it used to be 0-1...
CaseyBlackburn @ Jan 1st 2007 11:31AM
I never get spam in my inbox. I do have over 6000 emails in the spam box though. I used to get spam in my inbox but then I wrote a filter that picks up spam emails that got past gmail's filter and then archives them and gives them a label, so then later I can report them as spam.
David @ Jan 1st 2007 3:41PM
How exactly does that filter work?
Dimitri @ Jan 1st 2007 11:53AM
Gmail is an online web page. The fact that it is used for email is irrelevant.
If spammers are able to access any .js files that is in a Gmail or Google.com page, then it seems to me that this is a security flaw in the BROWSER, and that ANY web page that uses JS files is at risk.
Maybe I'm wrong, but I smell a hoax.
Matt @ Jan 1st 2007 12:34PM
Yeah im tired of the damn viagra messages. I can stand up fine if you know what i mean.
Fucking spammers
CT @ Jan 1st 2007 1:23PM
I guess I am going to have to find a different way to store my credit card information. I gotta stop making contacts like 5555-1332-4444-2342-1208@mastercard.com
Ian O @ Jan 1st 2007 1:29PM
Note that the non-malicious link picks up a heap of info from Safari even if the Gmail page window is closed but not logged off.
Could be dodgy, for sure.
I also noted that if I closed a Gmail page, then clicked on the Gmail bookmark, I go back into the previously open account without out needing a log-on name & password. I assume that feature times out if inactive.
Jeff @ Jan 1st 2007 1:39PM
I have never given my gmail address out to ANYONE who wasn't a personal friend (well, other than Engadget - you guys selling my info?), so I've been wondering why I currently have 815 spam emails in my spambox. Nice job, Google.
It's yet another reason why being constantly logged in to Google is a bad thing - they also record all of your searches and keep those attached to your account also. That's a recipe for disaster too, as the AOL debacle showed, but this would be even bigger if that data ever got out.
My problem is I use Google's gmail notifier, so unless I want to lose that, I basically have to stay logged in. But at that point, I may as well just go back to using Outlook, because I need to know when I get email. (Yeah, I know I can use Outlook with gmail, and I do have that set up... but the point is I hate Outlook!)
Mary @ Jan 1st 2007 4:23PM
Jeff,
Try Thunderbird.
crescentdavid @ Jan 1st 2007 1:49PM
This is most definitely NOT FIXED. Thanks Engadget, especially for providing the test link. For all of you who don't think being able to read addresses is a big deal- please stay the hell away from me. And you spam discounters? It's no big deal? Jesus, I can smell a corporate tool.
Nathaniel C @ Jan 1st 2007 2:01PM
WTF that seriously craps me out that clicking that link gave me all my contacts lol, f*ck. Thats pretty messed up, and lik eother people said, im friggin tired of getting viagra messages in my gmail account all the time. Although the SPAM filter gets it all pretty much, its still annoying because i can delete all spam messages one second, and then literally 5 minutes later there will be at least another 10 or 15. >=(
L Mac @ Jan 1st 2007 2:10PM
Does anyone know if using NoScript with Firefox will protect me if I use Google notifier? What about the gmail notifier add on in Firefox itself?
Is there anything to protect people that use IE or Netscape?
Karl Viklund @ Jan 1st 2007 2:11PM
Was fixed faster then reported :)
Thanks to Google for fixing this issue so fast.
dexfx.sf @ Jan 1st 2007 2:18PM
A workaround is to have your g-mail open in one browser (say safari) and do your other surfing in another (firefox or whatever). I just tested the safari/firefox setup and the engadget test link couldnt' see the google contacts. I'm not sure how this will work for folks who use the g-mail notifier since I don't use that, but it's a start until Google gets a real fix out.
MM @ Jan 1st 2007 2:23PM
Still not fixed. Google does too many things at once and overlooks too many flaws in their programs so they get stuck in beta forever. You would think a company as big as Google could get things right a lot quicker than they do.
tech @ Jan 1st 2007 3:12PM
you guys are all gay, its obviously a browser leak. why is everyone pointing fingers at google for something that ertarded microsoft should fix.
another thing,.. pretty much anyone can write a script that reads your contacts from your email account.. from a computer that you are logged into
3rd point .. who really cares if that one folder called SPAM is filled... does that little number beside it scare you? you feel like theres little aliens comming to get you if there is alot of spam? like are we a bunch of little baby girls?
suk it up, its the world wide web, it will never be 100% secure.. unless there is nothing free on it, and only people who spend alot of money on their sites can have them hosted
just deal with it
umopapisdn @ Jan 2nd 2007 3:13AM
To those who don't understand how this is a security problem that Google needed to fix (and I believe HAS fixed, rather quickly)... this isn't about one website reading a JavaScript file from your machine across a different domain. This is a matter of a URL pointing to Google's servers that returns some JavaScript code which contains the user's gmail contact information, if currently authenticated. In other words, there needn't be a "flaw" in the browser for this to be exploited. All a website would need to do is include a JavaScript file in its own website and point to the special URL on Google's server. Then, additional JavaScript would be used to extrapolate the data. There are no rules that prevent one website from including JavaScript from another domain... in fact, this is how website analytic sites operate (even Google's Adsense and Google Analytics).
I would imagine that Google's fix likely involved checking the referrer that is requesting the JavaScript URL and, as a result, is only including the private information if the URL is being requested by one of Google's own sites. A way Google could make this even more secure is to include some unique ID (that has a short life-span) in the URL of the request... in other words, an additional layer of authentication that is URL-based.
This was a problem for Google to fix, yes... but they also fixed it rather quickly. No programming team (nor programmer) is 100% perfect. The best any company can do is be quick to respond when problems are uncovered. Microsoft often takes quite a bit of time to solve problems and even then, may wait up to a week before finally applying the fix. Google will often apply fixes within hours of being discovered. That is a very good sign.
Andrew @ Jan 1st 2007 3:48PM
To Thomas Ricker:
The URL in your update doesn't prove anything. Of course there are URLs which will display a user's Google data when they click them. If there weren't, they wouldn't be able to use any Google services. You can post a link to the Gmail page and any user can click it and see their own e-mail if they are logged in. Does that mean that you (Engadget) can see that person's e-mail? Of course not.
The issue is whether or not javascript running in the context of a non-Google domain can acquire and transmit a user's personal Google information (contacts, whatever) to a non-Google domain.
fadetowhite @ Jan 1st 2007 3:49PM
FWIW, I'm logged into Gmail, Calendar, Docs, and Reader and the link provided in the post gives me this:
google ({
Success: false,
Errors: []
})
Vimini @ Jan 1st 2007 4:13PM
I also tried the link and got the same result as fadetowhite. I am using Firefox, plus I tested it on IE6. I dunno how it is on IE7, so someone else will need to check it. So unless someone else can say that the glitch is still not fixed. I think this is all taken care of. Thanks Google.
russdogg @ Jan 1st 2007 4:13PM
I tried logging into every google service i could but the link still says
google Success: false, Errors: []
tried in safari and firefox.???
Daniel @ Jan 1st 2007 4:17PM
Looks like it's only a problem if you're using IE7. The link doesn't work if I click on it in Firefox. Thanks Microsoft.
Erik @ Jan 1st 2007 4:20PM
Just get the
google ({
Success: false,
Errors: []
})
When tried in Safari and Firefox in both XP and OSX
When tried in IE7 It tries to save it as an extentionless file called contacts
Indigo @ Jan 1st 2007 4:22PM
But it still doesn't show me my contacts
Erik @ Jan 1st 2007 4:23PM
Whoops that was still me...
Sam @ Jan 1st 2007 4:26PM
All the more reason to use Firefox and NoScript. And to use security zones in IE.
Soul @ Jan 1st 2007 4:27PM
I was wondering why my spam box gets about 25 spams an hour, and then I looked at the sender and the names were similar to the ones in my contact list, instead of Mark it would be like Marok or something like that. At least it's fixed now.
Jorey @ Jan 1st 2007 4:28PM
Firefox gives me the false success, IE7 has me save a file called contacts. Same as everyone else. Firefox rules! Whooo! Toga partyyyyy!!
brian @ Jan 1st 2007 6:21PM
i was wondering why i had like 14,000 spam messages since ive had my gmail account for over a year.
Eric M. @ Jan 1st 2007 9:58PM
Yeah. Firefox and Opera both give the "False" responses. Internet Explorer brings up a download file prompt for a file called "contacts". IE really sucks now and I'm happy I use Firefox. Props to Google if they fixed anything and I can relate to people because all of a sudden a couple of weeks ago I started receiving spam but at least Google is catching it.
dijitul @ Jan 2nd 2007 6:21AM
I don't see how SPAM messages became an issue from this topic regarding a Google email bug, as if spammers have been using this bug for decades to collect email addresses. Instead of griping about Microsoft or Google, why doesn't everybody go b*tch to their coworkers, friends and relatives who proceed to ignorantly forward chain-emails and jokes that still contain the forwarded headers of every person's email address who ever received the letter? Those have got to be a spammer's wet dream -- an email with an entire listing of valid addresses, for FREE. Or what about the virii that infect your computer because you were downloading illegal porn, mp3s, or pirated software from peer-2-peer.freak.net and didn't keep your anti-virus software up-to-date? Or what about those sixteen BLOG or FORUM messages you posted last week that had your email address clearly printed and searchable for any web surfer to read? You all are so quick to blame the corporations, but won't take any of the blame yourselves for the SPAM you get. Collect all your "Why do I have spam!?!?" energy and direct towards supporting laws and data protocols that prevent spammers from ever sending you the crap in the first place.
And thank you Google, because I've been enjoying your email service ever since it started and I have only received 6 SPAM messages as a result of using Craigslist -- luckily it was an anonymous address that quits functioning after the ad is deleted.
Happy New Year.
dijitul
Jsquil @ Jan 2nd 2007 12:35PM
"As reported on Digg..."
Sense when is anything reported on Digg?
Mili @ Jan 2nd 2007 1:08PM
'm using this account for a long time now, earlier I never used to get any spams, now I get loads and loads of 'em ,for online dating and ofcourse like others Viagra stuff..and my boyfren thinks i'm looking for online dates :-(
Spencer @ Jan 2nd 2007 2:38PM
Gmail is just a magnet for spam. When it was new, it was sure to get many more users, so spammers just randomly guessed at gmail addresses. I have several, and the one that is based on my name has been getting loads of spam since before I even gave anybody the address. The other gmail accounts that are not names, just words or other irregular things, get no spam.
VastOne @ Jan 2nd 2007 4:08PM
So what?!?!?!?!? This is bizzare, are you suggesting that your G mail account is somehow sacredly protected?
VastOne
bsm0f0 @ Jan 2nd 2007 7:05PM
whatever spam I get on my gmail account is nothing compared to the shit I received on my hotmail account before I let it die.
littlemachine @ Jan 2nd 2007 7:31PM
Oh dear, this sounded really terrifying. But i clicked on the non-malicious link (thanks engadget) while logged into my gmail account (i'm using Firefox) and it came up with only this:
google ({
Success: false,
Errors: []
})
So does that mean it's all fixed then? Hope so...
RaeVynn @ Jan 3rd 2007 5:18PM
I tried it, and got no contact information.
I even tried logging into my different gmail accounts, and doing it again.
I think it may be fixed.