Postări
TECHNOLOGY
‘WHOA’: CAN YOUR GMAIL ADDRESS BE ‘HARVESTED’ IF YOU ARE LOGGED INTO GOOGLE?
Right now you are reading a story on The Blaze. I have no idea who you are and you probably like it that way. But what if had secret Managing Editor powers that allowed me to see your actual e-mail address whether you wanted me to or not?
You might consider that to be a “pretty big security hole.” The folks at TechCrunch sure do:
The creator of http://guntada.blogspot.com (don’t visit that site just yet) emailed us this morning to explain.Michael Arrington includes a screen grab of the e-mail:
If you’re already logged in to any Google account (Gmail, etc.), and visit that site, he’s harvested your Google email. And proves it by emailing you immediately.
http://www.theblaze.com/stories/whoa-can-your-gmail-address-be-harvested-if-you-are-logged-into-google/
* * *
UPDATE:
i have no idea what this is exploiting but there’s a decent chance it has something to do with Friend Connect and the way it passes data between iFrames (ie yes, it very well could be opensocial related). whatever is going on it’s an extremely serious security and privacy violation and i am confident google will address this in moments counted in minutes.If you insist on trying this yourself (hey, I did), the email to you will likely be in your spam filter.
i can’t recall ever having seen anything like this on a major IdP’s website. it’s scary stuff.
This isn’t a particularly dangerous exploit, but it sure is something a lot of people would love to have on their own sites. The ability to harvest emails from anyone already signed into Google, not to mention just see exactly who’s visiting the site, is extremely valuable. See the second comment thread here for a related issue with App Engine a month ago.
Update: The site is now down. Here’s what it looked like:
Update 2: Email from Vahe, the man behind this:
Hi Mr. Arrington,Update 3: From Google: “We take potential security issues very seriously, and our team is actively investigating this one. We’ll share more information soon.” I suggest Google contact Vahe directly, he seems like he’d love to talk to them.
I see you have already shared the news. It’s good that google got it down, I really don’t want people to know about how that was done (if Google contacts I will definitely tell them – they just don’t answer my emails). Problem relies solely on Google.
Problem is I asked a lot of people, and most of them don’t really understand and care about this kind of things and big companies act like they all really protect our privacy and such, but they see that people don’t care and don’t do anything really.
Regards,
Vahe G. (Armenian 21yrs guy whom Google doesn’t wanted to even talk to)
Update 4: Google says the issue is now resolved: “We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to security@google.com.”
| Website: | google.com |
| Location: | Mountain View, California, United States |
| Founded: | September 7, 1998 |
| IPO: | August 19, 2004 |
5 comentarii :
Global governance trebuie sa stie TOT.
Mi se pare normal ca daca pun la dispozitie o platforma de comunicare sa stie si toata corespondenta fiecarui cont deschis.
Asa este logic
Oficial, cică nu ar fi aşa... :)
I don't buy it :)))
Google e un server mai mare ,globalist
Google s-a dat pe brazdă
http://riddickro.blogspot.com/2010/07/google-s-dat-pe-brazda.html
Google deschide office si in Romania.
Ca sa ne monitorizeze mai bine...
Trimiteți un comentariu