Gmail Contacts Flaw: Overview and Suggestions

There’s news and discussion about a recent flaw in Gmail that can expose your contact list to any page.

This is a companion discussion topic for the original entry at

[…] I’m not an expert in Web Security, but I know enough to realize it’s tricky and that there will be things I miss. Even the big boys like Google can get caught in bugs sometimes. […]

I know “nothing” about programming but urgently need help! My contact list and parts of emails are spyed out (storaged in cookies)!!!

Last Thursday I was logged into my gmail account when suddenly everything slowed down and certain functions like “compose” didn’t work anymore.

I clear out my folder “temporary internet files” once or twice a day. When gmail wasn’t working properly I logged in and out and switched to the folder “temporary internet files”.

I saw that a CONTACT ADDRESS which I didn’t use for about 3 years was part of the text of a cookie. I cleared the folder but when I logged in again there was the same cookie.

Same happened with about 20 other contacts, most of them I didn’t use for years!

I then cleared my contact list.

Then it was getting even scarier: Parts of old message and data were part of new created cookies.

There are other cookies which show symbols like ???, %%%% or squares.

The most extreme which happened then was: I did screenshots of the suspicious cookies to have some sort of documentation. I storaged these screenshots in a completely different folder. Suddenly there was in the folder temporary internet files a new jpg cookie of which the text started with ?? and then continued with the folder path! Some other cookies contain information of the registry.

All this just happens when I’m logged into my gmail account.

I’m completely lost cause I’m no technician at all. I don’t know what to do.

I tried to call up Google Germany but there’s just an answering machine which says “no support”.

[…] Com isto já podemos imaginar as possibilidades por exemplo navegar com uma aba nas páginas da intranet da sua empresa tranquilamente e em outra aba você poderia navegar pelos sites mais promíscuos do universo sem ter medo, pois são duas abas completamente isoladas e cada uma trancafiada dentro de seu próprio domínio! Será que CSRF, XSS e similares estão com os dias contados?:) Será que CSRF, similares e ataques como este por exemplo, estão com os dias contados? :frowning: […]

[…] A vulnerability in GMail was discovered in January 2007 which allowed a attacker to steal a GMail user’s contact list. A different issue was discovered in Netflix which allowed an attacker to change the name and address on the account, as well as add movies to the rental queue etc… […]

[…] que CSRF, XSS e similares estão com os dias contados?:) Será que CSRF, similares e ataques como este por exemplo, estão com os dias contados? […]

Just protect against it like any other XSS attack. Simply require some per-session unique hash for the HTTP-request.

Thanks for warning. my site has been attcked by this XXS… but now its safe

@Alex: Awesome, glad it helped.

Your link is broken… is the script still abusable?

@Joseph: Updated the link, the script has been long fixed :).