January 2, 2007 2:26 PM PST

Google plugs Gmail data leak flaw

Related Stories

Google thanks bug hunters

November 1, 2006

FAQ: JavaScript insecurities

July 28, 2006

The security risk in Web 2.0

July 28, 2006
Google has fixed a security hole in several of its services that exposed the address books of Gmail users, the company said Tuesday.

An attacker could create a malicious Web site that would copy all the entries in a Gmail user's address book, a potential treasure trove for spammers, according to a description of the problem on the "Googling Google" blog. The only condition is that the user would have to be logged in to Gmail or another Google service.

The issue came to light after Google watcher Haochi Chen probed a feature in Google Video over the weekend. The feature, called "Pick People to Email," lets users select contacts from their Gmail address book to send them a video. However, the feature also opened up the address book to others, Chen discovered.

Chen alerted Google over the holiday weekend. Heather Adkins, an information security manager at Google, confirmed Tuesday that the company heard about the Google Video issue and fixed it within hours. The search giant later learned that the same problem also impacted other services and resolved those issues within a day, she said.

"To our knowledge, no one exploited the vulnerability and no users were impacted," Adkins said in an e-mailed statement.

The problem existed because of the way Google used objects created in a lightweight data interchange format called JavaScript Object Notation, or JSON, Adkins said. "These objects, if abused, can expose information unintentionally. The fix we employed made sure the objects could not be abused," she said.

Google regularly has had to fix flaws found in its services. Most of these are relatively new types of weaknesses in Web applications--for example, cross-site scripting bugs that could help scammers launch phishing attacks. Also, JavaScript-related vulnerabilities could help miscreants launch fully fledged attacks and hostile linking.

Just like traditional software companies, Google appeals to bug hunters to responsibly disclose vulnerabilities and to give it time to fix problems. "Responsible disclosure allows companies like Google to keep users safe by fixing vulnerabilities and resolving security concerns before they are brought to the attention of the bad guys," Adkins said.

See more CNET content tagged:
Gmail, address book, Google Inc., Google Video, vulnerability


Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.