Earlier I reported that Google had a flaw in which it stores contact details in a JavaScript file on their server. A website could in return declare the function “google”, and put all your contacts and their details into an array. From there it could have been parsed and sent to the malicious server using Ajax. Earlier today there were reports on zdnet that said the flaw was fixed, however at the time it wasn’t true. Currently as of 8 PM EST the flaw has been fixed. When attempting to execute the attack, all you get is a blank page now. Visiting the old page on Google that revealed all the data in an XML file now gives an error:

google ({

Success: false,

Errors: []

})

If you’re visiting the page and it still give your contact’s information, you need to log out of all Google services, and then log back in. Doing so will now result in the error. However the exploit will fail to work despite the fact that you haven’t logged out.

You have to give credit to them fixing the flaw on New Year’s Day in under 24 hours.

Note

The link to the XML file on Google’s server isn’t exploitable. The hack worked using JavaScript, and the file that used JavaScript is now giving an error. The XML file can’t be used to exploit GMail.