42 Quirks

Word about Google’s New Year gift might have reached some of your ears. Digg and Slashdot both ran a story about Google exposing your contacts to the WWW, simply by visiting a malformed page.

Well, here’s a quick roundup of the events in the last 48 hours. Not so much as a time-line, but more of an aggregation:

1. Jan 1st 2007, Haochi of Googlified posts a blog entry and follows up with a description of a demo exploit, describing how an attacker could use malicious XSS code to extract your contact addresses. He diggs his own story and gets a mute response (typical, Digg, did I hear you say?)…

2. Alex Bailey of Techread duly noted it on his blog which can be read here, which was then dugg and made it screaming to the front page as:
GMail Hacked: Visit ANY Website, and Your Whole Contact List Can be Stolen

3. About the same time as Digg, Slashdot picked up the story, and then, the whole world knew.

So, what exactly happened?

Apparently, when you log in to any Google-affiliate site, your GMail addressbook finds its way into your browser through some nifty JavaScript function calling. And someone, somewhere, forgot the mandatory checks and balances. What it means is, you can see all your Gmail contacts lined up here.

Don’t worry, only you will be able to see them and nobody’s using the link for any malicious purposes. Until today morning, the contacts could also be viewed in your browser. Google engineers acted immediately (well, 24 hours after the bug was posted by Haochi) and fixed a part of the bug. You can no longer see your contact’s list in a browser. However, you can still get them in the XML format.

The other part can still be exploited and is worse as it directly provides the XML version of your addressbook. Hope, the GTeam fixes this one up in time, before the email harvesters have a field day.

The standard warnings go with this one:

• Do not click on links from untrusted sources.
  Hey, when did you ever know a person who was named “DWickjasl Pfennry”?

• Do not click on suspicious links even if they come from trusted sources
  Your bank would never send you a referral scheme via e-mail. Period. And no, you are not gonna win that iPod (unless its freepay, and they do not operate in India. So, there.)

• Report all spam. It helps.
  Use that small button named “Spam” (or “Report Spam” in case of GMail). It really works, you know.

• All Links are NOT meant for clicking
  Use the status bar. Keep your nouse over the link and look to the bottom left, you should be able to see the address of where the link points. If it looks suspicious, DON’T click. Period.

• Above all, use your common sense.
  If you don’t remember participating in the Fifth Third bank International lottery, YOU DIDN’T PARTICIPATE.

So, there you go… Capisce?