The last thing I want to do right now is post on another problem over at Google, but this was a big one. Basically, a website could download your entire Gmail contact list by adding a bit of code to their server and exploiting Google’s JSON API. The problem has apparently been fixed, very soon after the vulnerability was found.
I’m not going to go on and on (again) about how much trouble Google is getting into with these problems. In this case, days did not go by before Google responded to the problem. They addressed it immediately.
This is good fodder for the ongoing JSON debate, though.
See all
Post
RIGHT - Michael the hacker… lol
When you bash a company like Google you kinda need… uhm… proof?
LOL I did not see the ZDnet link. Hehe that was dumb of me to post that first comment. Anyway, I’m sure you ego is bloated enough to not take any offense
According to the linked post, the vulnerability hasn’t been fixed. Instead it was hastily covered up in one specific situation but the core vulnerability still exists.
Oh no, a “free” service has a flaw. Cry me a river made of the tears of unprofitable Web 2.0 bloggers.
But Mr. Arrington, I thought gmail was perfect…
Google’s problems are certainly not ending. All of a sudden their calculator, currency conversion, and unit conversion features don’t work either. Hope they get them working again, they were very useful!
There are about a thousand threads complaining about one broken thing after another over at WMW this last week. I feel sorry for the Googlers heading back into work this week..
Huh? Based on my reading of the issue, the problem has got absolutely nothing with the format that they deliver the results of the API call (ie, JSON), but the API security sanity checking. That is, if the results were being returned in XML, you’d still have the same problem.
But maybe I misunderstand the problem. I’m happy to be corrected.
Do you think Gmail will work on the new italk from apple?
check it out: http://youtube.com/watch?v=Nf4iS6-73g8
looks to good to be fake…?
not a big deal
Slow news day? Why not start the new year out right with some positive news?
Mike - more of a hangover day. Trying to find some.
Gotcha. Now we’re talking with Eroshare…
The real problem with all of these new Ajax sites is that no one took the time to look into the security issues. Why not first evaulate the technology you are about to use, implement strategies to work around any security issues, and design the site correctly.
Note: No matter what the resource or how seemingly useless that resource is to people, someone will exploit it.
at least they are quick to fix faster than Microsoft, but this shows Googles slippery slope coming into play. They are going to have major privacy issues as thy get bigger and their don’t be evil motto doesn’t help them at all anymore, maybe in the beginning it did.
Some analysis: http://getahead.ltd.uk/blog/jo.....#responses
I imagine Google may have to enter a slower development pace to avoid these pr nightmares.
Seems like a good time to remind people they shouldn’t be letting just any old web site run script on their browsers.
http://www.noscript.net/whats
Folks, that means BACKUP all your Google stuff time by time, or you’re under the risk to open your Google Notebook one day and find it empty..
The JSON url won’t work now (it has been fixed), BUT the XML Url still returns your contact list … not yet fixed apparently
The XML Url : http://docs.google.com/data/co.....max=999999
Michael, I reported a somewhat similar exploit almost a year ago:
http://red66.com/blog/2006/03/.....-contacts/
It’s different in that you don’t need the API to exploit it, but you do need physical access to the target computer. I reported it to Google at the time, and I believe it was eventually fixed.
I think for things like API security holes it comes in handy that they are still waiving the Beta flag under their logo (after how many years? 3? 4?), so they can still claim that you agreed to the Beta terms, which for sure don’t take any responsibility if anything like this happens. That being said, I agree that Google has become enough of a household name that people tend to trust it, no matter if it says Beta or not, and if something bad happens, the pillar of trust begins to crack. And lately, it’s been cracking in several places.. hopefully they can fix it before it crashes!
What most people here are missing out is the fact that you have to be extra careful when creating JSON APIs. Unlike services which return XML, JSON calls can be easily made across domains. If you tried to make an AJAX call, it would fail, but an AJAJ (JSON instead of XML) call would work.
Did you ever notice:
Within the sponsored links box on the top of a Google paid search results listing clicking anywhere takes you to an advertisers URL?
Also, if you click on the text “Sponsored Link” it takes you to an advertisers URL vs say a description of what a Sponsored Link actually is.
Lame.
What the hell is up with Gmail and the inability to buy more storage space or easily delete attachments or at least easily search for the largest attachments!? I am out of space and it’s a nightmare. What are these people thinking? This can only be a growing problem.
Invite yourself, create another account and forward all mail from your existing account to the new one.
Easy.
Jimmy and Dan,
Well, even though Dan’s quick fix suggestion would certainly work, this is what in my country we call a chapuz; a kludge, a McGyverism if you will.
The thing is, Google is not in the business of selling email space, Jimmy. They would end up spending more sustaining the infrastructure needed to collect cash from a few individuals, than what they would actually gain from providing such a service. Sadly, their standard answer at the moment is “We keep adding free space, please bear with us”… but this is hardly good enough for the growing number of folks who are running out of Gmail space.
What Gmail sorely, sorely needs is the ability to sort messages by something other than date. All over the Web you read requests, cries even of folks who want to sort by read/unread messages, sort by size, sort by answered/unanswered. I’m guessing that, given the way Gmail works (based on searches), implementing sorting has proven so difficult that they haven’t rolled it out just yet. I don’t even want to imagine the possibility that they haven’t even begun work on this… although that’s certainly possible.
And Jimmy, one final word: you can click on the little “Show search options” link next to the search buttons in Gmail, which shows an option to search for emails with attachments. Maybe not a complete solution, but it’s a start.
I forgot to include this in my last message:
http://labnol.blogspot.com/200.....under.html
There are some useful tips in there for keeping your inbox size under control. The one I found particularly useful is this one:
“» The query string “has:attachment” will list all messages that have an attachment. If you further refine the string to “has:attachment from:me label:sent” - it will show all messages with attachment in the Sent Mail folder that were sent by you. Deleting them can retrieve lot of important space.”
There are more good tips in there. Give it a look.
please help every time i try to log to my account even try to log to gmail site or any site start with google i have a massage your page can’t be displayed
any body help
i have also fire fox & it did not help
moh
please help every time i try to log to my account even try to log to gmail site or any site start with google i have a massage your page can’t be displayed
any body help
i have also fire fox & it did not help
moh
any body answer me
Gmail has been down for 12 hours! Argh
moh,
you must be behind a proxy or router that has been setup to block google.
I can load up google page to receive mail, the inbox appears but no mail is showing, either there or in any of the boxes (sent mail, archives. etc) Google will not allow me to scroll down the page or access any other instructions. I can compose and send mail. I have two accounts and the same thing happens on both of them.
My husband has a google account and uses the same computer and has no problems.
Has anyone any ideas please.
i can’t even log in the gmail account. it’s giving me the proxy server page… same thing for yahoo’s email…. what’s going on???