UPDATE: This security flaw has been fixed by Google.
I’ve found an interesting security bug in Google’s GMail that could potentially expose your entire GTalk/GChat contact list (i.e., your Quick Contacts).
I. The security flaw can be exposed this way (you will need two GMail accounts):
1. Open yor browser (tested on Internet Explorer and Firefox) and log in to your GMail account.
2. Open another browser window or tab and navigate to GMail. Your current account will open. Sign out and log back in with the second GMail account.
You should now have two browser windows open to GMail. Each one logged into a different account (although only the second one will be functional):
3. Now go to the first window and wait (might take a while). Do not click on anything, do not refresh (clicking on anything will display a new page stating you’ve been signed out of GMail.) Eventually, your Quick Contacts list will show the Quick Contacts and tag line for the second account.
You can click on any contact to access its details (Name & Email).
You will not be able to send them an email, because GMail will tell you that “Your account has been signed out” but that’s just a minor inconvenience.
II. Exploiting this security flaw:
1. You’ll need to log into your GMail account and somehow hide that window from your victim. Suggestions: open lots of tabs so that your tab gets hidden in the clutter or minimize the window and leave another window open for yout victim to use.
2. In a new tab or window access GMail and sign out, leaving the GMail sign in window displayed. Hopefully, your victim will use this window to access GMail.
3. Return to your victim’s computer and take a look at their Quick Contacts in your “hidden” GMail window.
III. Protecting yourself from this security flaw:
1. Alway sign out of GMail when using a shared computer.
2. Before login on to your GMail account, make sure there are no hidden windows or tabs already logged into someone else’s GMail account.
IV. Contacting me:
You may contact me through this blog’s comment system, gmail me (granier) or skype me (anonymonk).
Google has been informed of this bug.
Technorati Tags: Google, Security, Hacking