Google has a pretty big hole....

[lord_casek]

Facebook would probably just consider this a feature, but the rest of us will definitely consider this a big security hole. The creator of http://guntada.blogspot.com (don’t visit that site just yet) emailed us this morning to explain.

If you’re already logged in to any Google account (Gmail, etc.), and visit that site, he’s harvested your Google email. And proves it by emailing you immediately.

 

 

And it even works in “incognito” mode (also known as porn mode).

What is the exploit? We don’t know, and Google has yet to respond to us about it. We note that the site doing the exploiting is on Google’s own blogging platform. One developer we spoke with was confused as well, saying:

i have no idea what this is exploiting but there’s a decent chance it has something to do with Friend Connect and the way it passes data between iFrames (ie yes, it very well could be opensocial related). whatever is going on it’s an extremely serious security and privacy violation and i am confident google will address this in moments counted in minutes.

i can’t recall ever having seen anything like this on a major IdP’s website. it’s scary stuff.

If you insist on trying this yourself (hey, I did), the email to you will likely be in your spam filter.

This isn’t a particularly dangerous exploit, but it sure is something a lot of people would love to have on their own sites. The ability to harvest emails from anyone already signed into Google, not to mention just see exactly who’s visiting the site, is extremely valuable. See the second comment thread here for a related issue with App Engine a month ago.

 

 

http://techcrunch.com/2010/11/20/whoa-google-thats-a-pretty-big-security-hole/

[injury]

yikes.

[Crocodile Tears]

[~KRYLON2~]

i wanna learn how to do this kinda stuff

[lord_casek]

i wanna learn how to do this kinda stuff

 

 

Read a lot. Join "smash the stack", "hack this site", or one of the other hacking sites,

read more netsec books, join forums related to netsec, get certified, make money.

[~KRYLON2~]

check

[Cro.]

i never got the email.

[KILZ FILLZ]

"That's what she said"

[TACO_KING]

[lord_casek]

i never got the email.

 

 

Site is down.

[RIPS]

http://www.youtube.com/watch?v=RSpXEPl3zeU

[andrewreynoldsx]

and i raise you, http://www.youtube.com/watch?v=kcYg4fZEDzg

[CALIgula]

just make sure you sign out of your gmail or facebook when youre done.

 

anyone remember when weaponxxx made that thread with the facebook link?

[POINTFIVE]

<>< lol also xss

[CALIgula]

gone phishing <><

 

damn...you took it back to the aol days right there.

 

i had like 5 phished accounts...a bunch of proggies for pinting and punting fools.

i really wanted one of those OH accounts though.

[KILZ FILLZ]

Aol private room PROGZ, yellow,pepsi,tits,vb3

[CALIgula]

back in 98 i was in the aol private rooms mp3, mp32, mp33, etc..

 

then youd request the list from the server.....i had a nice prog that would convert the list to where you could just double click the files you wanted to get sent to you.

 

except each song would take about 35 minutes to download...lol.

 

i still have the aol 3.0 disks.

[Spitfire15]

anyone remember when weaponxxx made that thread with the facebook link?

 

This needs to be done again. This whole crop of new guys would shit their pants.

[50million]

yeah i joined some bay area group on facebook and i got a ton of emails from them.

 

 

[blacken]

This needs to be done again. This whole crop of new guys would shit their pants.

 

I faintly remember this but I was not down with anything facebook at the time.

[BlackbookKWC]

this shit is crazy.