Then that hack about your contact list getting stolen, try logging into Gmail and go to one of the following links:
http://docs.google.com/data/contacts?out=js&show=ALL&psort=Affinity&callback=google&max=99999
http://video.google.com/data/contacts?out=js&max=500&psort=Affinity&callback=getContacts
All your contacts in JSON format! Accessible to any website which uses this as a src in a script-tag.
Solutions? Referrer-checking (not that good: can be spoofed). Better: using unique keys in each request. They probably used a combination of solutions.
It seems to be already fixed now, the only thing it returns for me now is:
google ({ Success: false, Errors: []})
But the XML output is still accessible though: http://docs.google.com/data/contacts?out=xml&show=ALL&psort=Affinity&callback=google&max=999999.
I tried hacking up a little piece of code, but alas: loading the XML into the frame and then trying to do a frames['the_frame'].document.getElementsByTagName('Email'); does not work. Both Firefox and IE prevent stealing content from frames across domains.
Maybe we should use an XMLHTTPRequest solution, then? Also doesn't work in Firefox, even when trying to netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead"); it will fail. Internet Explorer (tested in 7) will bitch about ActiveX objects being used.
So is this still a security issue? I would say no. Locally (trusted zone): Firefox doesn't allow the described actions, and IE at least warns the user. When surfing on the Internet (untrusted zone): the objects were blocked by default (my IE and Firefox were set up in such a way that when I tried to run this script from the web: they would block the cross-domain XMLHTTPRequest by default without asking). Maybe IE6 is a bit more unsecure.
For the people who want to try it out: example html here (use IE, allow Blocked ActiveX content for it to work).
Another sad message: Gmail's storage has stopped increasing... Mine has also stopped at 2800MB... Why?
There is a little bit of good news too: the calculator works again...
No comments :
Post a Comment