Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
lord_casek

Google has a pretty big hole....

Recommended Posts

Facebook would probably just consider this a feature, but the rest of us will definitely consider this a big security hole. The creator of http://guntada.blogspot.com (don’t visit that site just yet) emailed us this morning to explain.

If you’re already logged in to any Google account (Gmail, etc.), and visit that site, he’s harvested your Google email. And proves it by emailing you immediately.

 

 

And it even works in “incognito” mode (also known as porn mode).

What is the exploit? We don’t know, and Google has yet to respond to us about it. We note that the site doing the exploiting is on Google’s own blogging platform. One developer we spoke with was confused as well, saying:

i have no idea what this is exploiting but there’s a decent chance it has something to do with Friend Connect and the way it passes data between iFrames (ie yes, it very well could be opensocial related). whatever is going on it’s an extremely serious security and privacy violation and i am confident google will address this in moments counted in minutes.

i can’t recall ever having seen anything like this on a major IdP’s website. it’s scary stuff.

If you insist on trying this yourself (hey, I did), the email to you will likely be in your spam filter.

This isn’t a particularly dangerous exploit, but it sure is something a lot of people would love to have on their own sites. The ability to harvest emails from anyone already signed into Google, not to mention just see exactly who’s visiting the site, is extremely valuable. See the second comment thread here for a related issue with App Engine a month ago.

 

 

http://techcrunch.com/2010/11/20/whoa-google-thats-a-pretty-big-security-hole/

Share this post


Link to post
Share on other sites
This forum is supported by the 12ozProphet Shop, so go buy a shirt and help support!
This forum is brought to you by the 12ozProphet Shop.
This forum is brought to you by the 12oz Shop.
i wanna learn how to do this kinda stuff

 

 

Read a lot. Join "smash the stack", "hack this site", or one of the other hacking sites,

read more netsec books, join forums related to netsec, get certified, make money.

  • Like 2

Share this post


Link to post
Share on other sites

just make sure you sign out of your gmail or facebook when youre done.

 

anyone remember when weaponxxx made that thread with the facebook link?

Share this post


Link to post
Share on other sites

gone phishing <><

 

damn...you took it back to the aol days right there.

 

i had like 5 phished accounts...a bunch of proggies for pinting and punting fools.

i really wanted one of those OH accounts though.

Share this post


Link to post
Share on other sites

back in 98 i was in the aol private rooms mp3, mp32, mp33, etc..

 

then youd request the list from the server.....i had a nice prog that would convert the list to where you could just double click the files you wanted to get sent to you.

 

except each song would take about 35 minutes to download...lol.

 

i still have the aol 3.0 disks.

Share this post


Link to post
Share on other sites
anyone remember when weaponxxx made that thread with the facebook link?

 

This needs to be done again. This whole crop of new guys would shit their pants.

Share this post


Link to post
Share on other sites
This needs to be done again. This whole crop of new guys would shit their pants.

 

I faintly remember this but I was not down with anything facebook at the time.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...