Benjamin Flesch = definitely rocks.”> Google: GMail Information Disclosure ~ mybeNi websecurity, web security and hack stuff.

web securitymybeNi websecurity

« A Swedish Thing..
myspace Antiphishing Departement »

GMail Information Disclosure

March 14th, 2007

Some time ago whilst playing around with some of the Google Services, I found a pretty nice XML document which is revealing very much information about the user who is currently logged in. That means:

  • All Contacts you’ve ever mailed (Name and Email address)
  • Your Google Authentication Token (!!)
  • A boolean variable telling if there’s someone logged in on this box at the moment

Here is a Picture of the XML Document which discloses your information:

gmail userdata xml document

Okay, But now I needed a way to abuse this via Javascript, just to have a nice Proof Of Concept Code, but the latest built-in Cross-Domain Restrictions denied all of my approaches (Firefox).

Because of that I needed a Google.com XSS Vulnerability in order to get my PoC working, so it took me some time to find one (in fact ~5 minutes, feel free to ask RSnake ;-) ).

So Here it is, my GMail PoC!, :) . Important: You need to Click the “More options” Link on the right hand side of “The Self-Destruction of Stefan Dam” twice !

google grounps click here to start exploit

Some of you might have been wondering why I have disclosed this to the world instead of the Google Security Team:

In February this year I discovered an XSS vulnerability on the https://www.google.com Login Page. All they gave me was some good Karma, and a weak “thank you”. Sorry, but that is not enough, and if I see such laaaaaaarge stupidities in the concept of a big big (big big) Homepage I can’t just sit on my chair and wait until some guys fixed this. All apologies.



Did you Like this Post? Try these ones! :)

Compiz Fusion Eyecandy on July 20th, 2007

runPHP Plugin for Wordpress: SQL Injection Vulnerability on August 8th, 2007

Gone for good.. or at least 24 hours on August 2nd, 2007

How to find other local area network (LAN) computers in Ubuntu Linux? on September 19th, 2007

Google Websearch Server Error on July 20th, 2007


This entry was posted on Wednesday, March 14th, 2007 at 07:53 and is filed under Websecurity, Full Disclosure. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

16 Responses to “GMail Information Disclosure”:

  1. hackathology Says:
    March 15th, 2007 at 05:21

    Nice find Beni, its amazing with how XSS has become so popular because of rsnake and jeremiah. And now with researchers like you, XSS is going to be more of a headache.

  2. www.enchilame.com Says:
    March 15th, 2007 at 05:52

    Descubren vulnerabilidad en GMail y Google Desktop…

    Para no variar en este mundo inseguro de internet, han descubierto una nueva vulnerabilidad en Google Desktop y GMail, se trata de un XSS. Vía: http://www.oreillynet.com/onlamp/blog/2007/03/your_gmail_and_google_desktop.html…

  3. Vulnerabilidades del día : Says:
    March 15th, 2007 at 01:39

    […] Cómo robar datos de la cuenta Gmail y otra información a través de Gmail XSS. […]

  4. greenarrow1 Says:
    March 16th, 2007 at 01:10

    I thought Google just issued a fix for this in the last few days oops I mean the XSS vulnerability. Actually it is quite hard keeping up with what Google is doing or not doing. My question is this a Google or browser problem or both?

  5. siopaogirl Says:
    March 16th, 2007 at 03:34

    and here i was thinking of migrating to gmail instead of yahoo. right now there are millions of people registered to gmail. i never thought XSS could be easily decoded~ well, sort of.

    about the non-english-speaking-people, i hope they would try their best to reply in English so everyone can understand what each of them had to say. thanks.

  6. Jesper Says:
    March 16th, 2007 at 04:46

    That is really amazing stuff that you are revealing. It’s scary to see an xml-file with all my contacts and auth-token like that.

    But when I try the “more options” button nothing happens. All I get is an “TH_ToggleOptionsPane is not defined” js-error. Did they fix it already or am I missing something?

  7. beNi Says:
    March 16th, 2007 at 08:44

    greenarrow: this is definately a Google problem because they store your data in one XML file: http://groups.google.com/groups/profile/contacts?max=500

    siopagirl: I think these Posts are trackbacks from several Spanish blogs, but I cant understand what they are writing ;-)

    Jesper: Just rechecked the flaw, my demonstration link still works in Firefox, so the flaw isnt patched yet.
    Did you try it in IE? My Ubuntu doesnt support MSIE, sorry ;-)

  8. Jesper Says:
    March 17th, 2007 at 01:53

    beNi, I was using Firefox earlier but something wasn’t working. I only got JavaScript errors (In Firebug extension). But now I tried the page again, its it’s working! Guess something with my config was playing tricks.

    Also tried Opera on Windows and it’s also showing me the exploit. Never tried it in IE.

    As always it is really interesting to read about your thoughts and revelations. From a web developers point of view, it is really helpful. It makes me more aware of what I can do to protect my own applications.

  9. greenarrow1 Says:
    March 18th, 2007 at 02:49

    Huummm, XML another Microsoft flavor. Wonder if the Russian hackers have knowledge of this? I noticed you posted that you notified Google / has there been any more correspondence from them?
    If you want I can get this to EEye or IDefenseLabs as they just might get Google to react. Google just patched something but with all the malware news and flaws lately I do not remember what they actually patched. You might want to look at this as if you find vulnerabilities you can get paid for them.

    http://labs.idefense.com/vcp/rewardprograms.php

  10. Ciprian Amariei Says:
    March 25th, 2007 at 03:15

    Hi all, I found on a blog some time ago about this bug from google, and I made a small page to show the problem, no answer from google, although I’ve sent them an email about 2 months ago… here is the link: http://students.info.uaic.ro/~camariei/gontacts/
    Unfortunatelly I am not a spammer, I think this would be a gold mine, in the wrong hands.

  11. beNi Says:
    March 25th, 2007 at 04:14

    greenarrow: at first some random staff member disabled my backebackekuchen@gmail.com account, without giving any reasons why he did this (perhaps he didn’t like me ;-) ). But a friendly Google employeed recovered it again, thanks here!

    No, I dont have any connections to Russian hackers and therefore I never told them about ;-)

    Ciprian, great find: I nearly assumed that this gap has been existing for much longer time now.

  12. someone Says:
    March 29th, 2007 at 06:45

    Even best thing is, you disclosed to the world. Cool thing.

  13. alex Says:
    April 11th, 2007 at 08:49

    hi nice site.

  14. csKa Says:
    April 13th, 2007 at 01:21

    Hi all, I am a novice in webapp security.
    It is a big security hole in Google, but one thing I don’t know is, why the auth token is very important?

  15. Callum Dixie Says:
    April 21st, 2007 at 08:34

    *applauds*

  16. zam Says:
    June 14th, 2007 at 12:29

    Hmmm.. they musta fixed it, since I only get “options” instead of “more options”, and when I click twice, nothing happens.

Leave a Reply

Google Traffic (7 days)

250
200
150
100
50
134
210
38.107.191.101