Like your Gmail account? Consider it a sacred place which must be protected from spammers at all cost? Yeah, us too. Well, we hate to break the bad news at the dawn of the new year but there’s a weakness in Gmail which exposes your email address to any web site capable of exploiting the bug. As reported on Digg, the exploit takes advantage of the fact that Google puts your details into a JS file. As a result, if you’re logged into Gmail and browsing the web, any rogue website can declare the function “google” and then parse all your contacts. The only way to safeguard yourself is to disable Javascript in your browser (or enabled it for trusted sites only) or simply climb into a hole and not browse while logged into Google services like Gmail, Blogger, Orkut, Reader, Calendar, etc. — you know, the sites you typically have open all day long. For obvious reasons, we will not link directly to the site which demonstrates the exploit on your personal account due to the risk of running possibly malicious code. However, we tested it and found our most precious account — and those of our contacts — correctly identified and ready for harvest. But hey, even though Gmail has been out since 2004, it is still “beta”… right?
Gmail bug exposes your mail account to spammers - Engadget
(This is me now) Pretty scary. They then go on to link to this “non-malicious link“
If you’re using Gmail, and you’re logged in and Javascript is enabled, you SHOULD see all your contacts. Even more scary.
[Thanks Greg for telling me]
UPDATE: It’s fixed now.
When I click that link in Firefox 2.0.0.1 (BonEcho) I see the actual JavaScript code:
google ({
Success: false,
Errors: []
})
yeah, I guess that they fixed it shortly after I posted.