Thursday, January 04, 2007

stealing your gmail contact list

early tuesday there was a burst of activity on a variety of blogs concerning a vulnerability that allowed an attacker to steal a gmail user's contact list if s/he visited a page with an exploit on it while logged into gmail in another window...

obviously the attacker in this scenario would be someone looking potential new victims to send spam or phishing emails or some other kind of malicious email to... leaking your own address or the addresses of your contacts to the bad guys is of course not something you want to allow to happen so gmail users were probably quite concerned about this for a while - at least until it was fixed, and it was fixed relatively quickly...

in the mean time people were advised to log out of gmail when not using it, the idea being that if you aren't logged in while you're browsing the rest of the web then if you happen to visit an exploit page it won't be able to do anything... that's all well and good if gmail is the only google service one happens to use but what about all those people who use multiple google services? the way the google account logon works, when you log into one of them you log into all of them... can you imagine trying to making this advice work with google reader? especially with the broken, er, i mean partial feeds that basically require you to visit foreign pages while you're still logged into google... then there are all those blogs that require you to log in before leaving comments - for blogger.com blogs that means logging into google... or perhaps you use the google notebook firefox extension that not only keeps you logged in while you browse, it literally doesn't have an option for logging out, you have to go to the full notebook web page to do that... google's efforts towards single sign-on make being logged into gmail a fairly ubiquitous state to be in and so give the attack a much broader range of potential avenues of success...

another, less friendly suggestion was to not store your contact information in gmail so that there would be nothing to steal (this was usually expressed in the form of 'what were you doing putting that information in there in the first place? you should know better')... of course some of us happen to have a lot of contacts and an email application (whether a client app or a web app) that doesn't have an address book is not all that usable... never mind the fact that google talk/chat/{whatever they call their IM service} requires you to store your IM contacts in that address book (maybe those same people would be telling you you shouldn't be using IM?)...

whatever, google fixed the problem so we don't have to worry about it anymore, right?... WRONG!... this is not the first time a google vulnerability has exposed the gmail contact list and it probably won't be the last... what happens the next time? what happens while the vulnerability is only known to the bad guys (when you won't even know you need to be careful)? logging out isn't all that feasible and clearing out your contact list makes gmail harder to use and breaks google's IM...

some will argue that erecting barriers around your contact info is something google should be doing with more secure coding practices and it's certainly fair to point out that improvements can be made (and maybe even are being made) but there is a fundamental barrier that we might want to consider... google makes one's contact list available from within it's other services to make various sharing and collaboration options easier for people to use... if you don't use or rarely use that functionality, wouldn't it be nice to be able to turn it off so that your contact list wouldn't be accessible through a public API at all?... google doesn't offer a way to opt-out of API access to your contact list, unfortunately, but there is a way for end users to get the same basic capability without google's direct assistance - use a secondary google account (perhaps one that isn't connected with a gmail account at all) for as many of the other google services one uses as possible... recall that the 'just log out of gmail' advice is potentially unworkable precisely because using most of google's other services require you to log right back in again, but if you're logging into a different account for those other services then your gmail contacts won't be accessible through the API and so shouldn't be capable of being leaked the next time a contact list exposing vulnerability comes along...

0 comments: