Google closes Gmail cross-site scripting vulnerability

Google has fixed a flaw that would have allowed websites to harvest information from Gmail contact lists, a problem that could have let spammers collect reams of new email addresses

Share

Google has fixed a flaw that would have allowed websites to harvest information from Gmail contact lists, a problem that could have let spammers collect reams of new email addresses.

For an attack to work, a user would have to log in to a Gmail account and then visit a website that incorporates JavaScript code designed to take contact information from Gmail.

Proof-of-concept code was publicly posted. The JavaScript code used a capability that Google used to integrate addressing with other services including its video download site and online office productivity suite. Google appears to have fixed the problem within 30 hours of being notified, wrote Haochi Chen, a blogger who tracks the companyon his blog. A Google spokeswoman in London confirmed on Tuesday morning that the problem was fixed.

Find your next job with computerworld UK jobs