Google fixes Gmail cross-site request forgery flaw

Web application giant Google said today that it has fixed what researchers described as a cross-site request forgery vulnerability that could allow an attacker to steal a Gmail user's contact list.

Haochi Chen, a 16-year-old who runs the Googlified blog, posted proof-of-concept code over the weekend that takes advantage of stored Gmail members' contact lists in JavaScript files.

Jeremiah Grossman, founder and CTO of WhiteHat Security, told SCMagazine.com today that when somebody visits a malicious website exploiting the flaw, the browser makes a silent, behind-the-scenes request for that user's list of Gmail contacts.

"It's a very big privacy breach," he said. "This is a very bad vulnerability that we're going to see a lot more of in 2007…Websites are not prepared to defend against. The premise is built on the way the web is designed to work (through linking pages)."

The initial flaw affected the company's Google Video offering, a file-sharing service, and was fixed in several hours, Heather Adkins, information security manager for Google, said in a statement emailed to SCMagazine.com today. On Chen's blog, the teenager explained that Google Video allows users to select people from their contact list to email videos to.

"We were then notified that the same issue affected other Google products," Adkins said. "The problem with the other products was resolved within 24 hours of the second report. To our knowledge, no one exploited the vulnerability, and no users were impacted."

Adkins said the hole was related to the way Google processes JSON (JavaScript object notation), a computer data interchange format.

"These objects, if abused, can expose information unintentionally," she said. "The fix we employed made sure the objects could not be abused."

Grossman described the bug as the opposite of a cross-site scripting vulnerability, which relies on a user's trust for a website. In the case of cross-site forgery, the flaw "is taking advantage of the trust a website has for you."

Exploiting the flaw could lead to anything from pilfered personal information to unauthorized money transfers. About three months ago, researchers reported a similar cross-site request forgery proof-of-concept code affecting online movie rental merchant Netflix. In that case, hackers could change the addresses of users and hijack their accounts.

The weekend's Google vulnerability again raised the debate over the proper disclosure of vulnerabilities. While she did not specifically chide Chen, Adkins said: "We strongly encourage anyone who is interested in researching and reporting security issues to follow responsible disclosure practices, including giving vendors ample time to respond to reports."

Grossman said as similar flaws increase in prevalence, websites should be ready for any type of disclosure they can get.

"That goes for everybody who does business on the web," he said.

Click here to email reporter Dan Kaplan.

Sign up to our newsletters