Google GMail security bug shares your chat contacts

UPDATE: This security flaw has been fixed by Google.

I’ve found an interesting security bug in Google’s GMail that could potentially expose your entire GTalk/GChat contact list (i.e., your Quick Contacts).

I. The security flaw can be exposed this way (you will need two GMail accounts):

1. Open yor browser (tested on Internet Explorer and Firefox) and log in to your GMail account.

2. Open another browser window or tab and navigate to GMail. Your current account will open. Sign out and log back in with the second GMail account.

You should now have two browser windows open to GMail. Each one logged into a different account (although only the second one will be functional):

attacker_det

victim_det

3. Now go to the first window and wait (might take a while). Do not click on anything, do not refresh (clicking on anything will display a new page stating you’ve been signed out of GMail.) Eventually, your Quick Contacts list will show the Quick Contacts and tag line for the second account.

attacked_det

You can click on any contact to access its details (Name & Email).

contact_details_det

You will not be able to send them an email, because GMail will tell you that “Your account has been signed out” but that’s just a minor inconvenience.

signedout_det

II. Exploiting this security flaw:

1. You’ll need to log into your GMail account and somehow hide that window from your victim. Suggestions: open lots of tabs so that your tab gets hidden in the clutter or minimize the window and leave another window open for yout victim to use.

2. In a new tab or window access GMail and sign out, leaving the GMail sign in window displayed. Hopefully, your victim will use this window to access GMail.

3. Return to your victim’s computer and take a look at their Quick Contacts in your “hidden” GMail window.

III. Protecting yourself from this security flaw:

1. Alway sign out of GMail when using a shared computer.

2. Before login on to your GMail account, make sure there are no hidden windows or tabs already logged into someone else’s GMail account.

IV. Contacting me:

You may contact me through this blog’s comment system, gmail me (granier) or skype me (anonymonk).

Update:

Google has been informed of this bug.

Technorati Tags: , ,

  • Alfredo

    I connect through an office LAN. Is there a way they can have access to my chats o emails?
    How may I prevent this from happening?

  • @Alfredo,

    This issue has been fixed by Google.

    However, it seems you’re worried whether your office’s IT department can read your Gmail and chats. If that’s the case, I hve two recommendations:

    1. Always use Gmail’s secure connection (connect using https://www.gmail.com instead of plain http://)

    2. Don’t use your office’s computer and network for any activity that may get you fired or in trouble.

  • I connect through an office LAN. Is there a way they can have access to my chats o emails?
    How may I prevent this from happening?

  • @Alfredo,

    This issue has been fixed by Google.

    However, it seems you’re worried whether your office’s IT department can read your Gmail and chats. If that’s the case, I hve two recommendations:

    1. Always use Gmail’s secure connection (connect using https://www.gmail.com instead of plain http://)

    2. Don’t use your office’s computer and network for any activity that may get you fired or in trouble.

  • omar

    i am writting this email with a great deal of urgency. someone has repeatedly hacked into my email address and sent out emails i did not authorize. i have changed my password on numerous occassions on someone just sent out an email on my behalf with an inappropriate picture to everyone in my contact list. this email was sent at 605pm this evening to multiple people. please i am begging you to unsend this email or retrack the email or i could lose my job since this individual has sent it to my peers, friends and family. please contact me as soon as possible to help me withdraw this email . please i am begging

  • omar

    i am writting this email with a great deal of urgency. someone has repeatedly hacked into my email address and sent out emails i did not authorize. i have changed my password on numerous occassions on someone just sent out an email on my behalf with an inappropriate picture to everyone in my contact list. this email was sent at 605pm this evening to multiple people. please i am begging you to unsend this email or retrack the email or i could lose my job since this individual has sent it to my peers, friends and family. please contact me as soon as possible to help me withdraw this email . please i am begging

  • Omar, are these messages showing up on your Sent Mail folder?

    Two things may be happening:

    1. Someone is obtaining your password and using your Gmail account to send emails. In this case, make sure there isn’t a trojan program installed on your computer… this program may be giving someone access to your computer, sending them your passwords or recording all your keystrokes. Run an anti-virus and anti-spy utility on your system.

    2. Someone may be pretending to be sending emails from your account, but is actually sending them from a different server. Check the headers of one of these emails and see what servers and IPs show up.

    Lastly, I do not work for Google (not yet, at least) so there’s nothing I can do about your emails. Sorry.

  • Omar, are these messages showing up on your Sent Mail folder?

    Two things may be happening:

    1. Someone is obtaining your password and using your Gmail account to send emails. In this case, make sure there isn’t a trojan program installed on your computer… this program may be giving someone access to your computer, sending them your passwords or recording all your keystrokes. Run an anti-virus and anti-spy utility on your system.

    2. Someone may be pretending to be sending emails from your account, but is actually sending them from a different server. Check the headers of one of these emails and see what servers and IPs show up.

    Lastly, I do not work for Google (not yet, at least) so there’s nothing I can do about your emails. Sorry.

  • donna

    Is there a way to clear the IP activity history on gmail?

  • I STRONGLY recommend GMail to EVERYONE