01-02-2007, 10:50 AM
Quote:Using a form of cross scripting, it becomes easy to steal a GMail users contact list if they visit a certain type of website. The only condition is you have to be logged in to GMail at the time of the attack. GMail is setup to store your contact list in javascript files, which is the core problem. If you log into your GMail account, and click here, youll see your contacts details, along with their email. I've tried the hack on IE7, Opera, and Firefox; it appears to be working on all three. To see a demonstration of the attack, login to your GMail account and go to this website. I dont know for sure if the list is being saved or not, so browse at your own risk. According to the website they arent saving the data.
Something worth noting is that the email it claims is yours, is never yours...
full article: http://cyber-knowledge.net/blog/2007/01/...hijacking/