Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
lord_casek

Google has a pretty big hole....

Recommended Posts

Facebook would probably just consider this a feature, but the rest of us will definitely consider this a big security hole. The creator of http://guntada.blogspot.com (don’t visit that site just yet) emailed us this morning to explain.

If you’re already logged in to any Google account (Gmail, etc.), and visit that site, he’s harvested your Google email. And proves it by emailing you immediately.

 

 

And it even works in “incognito” mode (also known as porn mode).

What is the exploit? We don’t know, and Google has yet to respond to us about it. We note that the site doing the exploiting is on Google’s own blogging platform. One developer we spoke with was confused as well, saying:

i have no idea what this is exploiting but there’s a decent chance it has something to do with Friend Connect and the way it passes data between iFrames (ie yes, it very well could be opensocial related). whatever is going on it’s an extremely serious security and privacy violation and i am confident google will address this in moments counted in minutes.

i can’t recall ever having seen anything like this on a major IdP’s website. it’s scary stuff.

If you insist on trying this yourself (hey, I did), the email to you will likely be in your spam filter.

This isn’t a particularly dangerous exploit, but it sure is something a lot of people would love to have on their own sites. The ability to harvest emails from anyone already signed into Google, not to mention just see exactly who’s visiting the site, is extremely valuable. See the second comment thread here for a related issue with App Engine a month ago.

 

 

http://techcrunch.com/2010/11/20/whoa-google-thats-a-pretty-big-security-hole/

Share this post


Link to post
Share on other sites
i wanna learn how to do this kinda stuff

 

 

Read a lot. Join "smash the stack", "hack this site", or one of the other hacking sites,

read more netsec books, join forums related to netsec, get certified, make money.

  • Like 2

Share this post


Link to post
Share on other sites

just make sure you sign out of your gmail or facebook when youre done.

 

anyone remember when weaponxxx made that thread with the facebook link?

Share this post


Link to post
Share on other sites

gone phishing <><

 

damn...you took it back to the aol days right there.

 

i had like 5 phished accounts...a bunch of proggies for pinting and punting fools.

i really wanted one of those OH accounts though.

Share this post


Link to post
Share on other sites

back in 98 i was in the aol private rooms mp3, mp32, mp33, etc..

 

then youd request the list from the server.....i had a nice prog that would convert the list to where you could just double click the files you wanted to get sent to you.

 

except each song would take about 35 minutes to download...lol.

 

i still have the aol 3.0 disks.

Share this post


Link to post
Share on other sites
anyone remember when weaponxxx made that thread with the facebook link?

 

This needs to be done again. This whole crop of new guys would shit their pants.

Share this post


Link to post
Share on other sites
This needs to be done again. This whole crop of new guys would shit their pants.

 

I faintly remember this but I was not down with anything facebook at the time.

Share this post


Link to post
Share on other sites

Register for a 12ozProphet forum account or sign in to comment

You need to be a forum member in order to comment. Forum accounts are separate from shop accounts.

Create an account

Register to become a 12ozProphet forum member.

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×