Paid Advertising
web application security lab

Gmail Information Disclosure

beNi and I have been talking a lot about some issues within Gmail where too much information is disclosed by AJAX and JSON. Alas, it has finally been proven to allow for information disclosure. The example he built is based off a tiny XSS hole (that requires user interaction) but any XSS hole will do, this is only a proof of concept. Click here to see his post on the topic.

This is the second time Google has had this issue (the first was found by Jeremiah Grossman over a year ago). It’s not a good idea to have sensitive information stored like this, but really, once you find XSS on a system it’s almost irrelevant. But from this point forward your contact list will be vulnerable every time an XSS exploit is found (of which there are probably hundreds on the site at the moment). Not to mention the other terrible things you can do to Google consumers once you have XSS on Google. Nice find, beNi!

5 Responses to “Gmail Information Disclosure”

  1. Wladimir Palant Says:

    Funny… That’s the XSS vulnerability I posted three days ago:,44,7969#msg-7969. I find it a little difficult to believe that he discovered just this vulnerability independently but he says you can confirm…

    And yes, once you found an XSS on a site like this one it is pretty irrelevant how data is stored. Maybe I should write some nice PoC for Yahoo - finding XSS holes is definitely easier there.

    The other funny thing is that I found exactly the same hole in Hotmail/Live Mail as the one in Gmail discovered by Jeremiah Grossman. Only that is wasn’t the contact list but all the mails and the authorization token. That was over a month ago and they asked me again not to write about this one - it is supposed to take only a few days more.

  2. beNi Says:

    Hehe i was shocked, too as i saw “trev” posted “my” vuln in the FullDisclosure Thread but I found this one some time ago while I was researching for my PoC, trust me ;-)

  3. hackathology Says:

    Great work beNi. Did you inform google after you made it public?

  4. Wladimir Palant Says:

    hackathology, Google seems to read the forum - so they should be informed.

  5. beNi Says:

    I didnt notify them and I wont in the future. The reason is at the bottom of my post ;)