All about Mobile, Web, Technology, Politics, Security, E-Commerce and Living in the Philippines.

Tuesday, January 02, 2007

Happy New Year Google: Gmail Hacks posted on Digg!

Hacker's gave Google a new year's gift: A ways to steal all your Gmail contacts by just visiting a site, anysite for that matter. By the time im writing this, 1628 people dugg the article on digg plus they posted the code on the comment page.

I tried it myself and it only took me 10 minutes to code a Gmail address book slurper using PHP, this code is released for educational purposes only. You may try out if your Gmail is vulnerable here(fixed).

Maybe this is the end of Google peaceful reign and join the likes of Microsoft who battles endless wave of hackers trying to find the next vulnerability.

UPDATE: 3:53AM +8:00

Guys if your using the test site please create a dummy account and add some useless email address on the contact list. Although I'm not harvesting your account (so your safe if you trust me) but my hosting just called saying my access_logs has bloated. So please, create a dummy account first and add Bush to the contact list before testing. I'm adding more tests scripts using other sources of the contact list data such as Google notepad and Google groups.

UPDATE 7:31PM +8:00

I'm checking in to report that the hack has been closed thanks to the cult followers of Gmail who were relentless in finding all the bugs. I'm not sure what time it was fixed since I wasn't able to stay awake to test regularly via the test site, thanks to Aileen Apolo's reply (to my mass email warning) i woke up to update this post right away. Kudos to Google team, i think they had to skip some needed holiday break just to fix this hack as fast as possible lastly kudos the rest of the blogosphere and diggers who searched and posted the hack. IMHO if these guys who initially found the hack didn't come forward with the report (they didn't withheld the hack and use it for their own profit), lots of accounts could have been compromised.


Related Links