Scary Gmail Security Problem

I'm reading about CSRF on Ajaxian and it's pretty disturbing. This vulnerability lets a potential hacker grab your entire address book if you make the mistake of visiting their site while still logged into your Gmail account.

The idea is that because you're logged into Gmail, all the malicious user has to do is access Gmail's (publically available) Javascript library, which, upon confirming that you're logged in, loads up all your contacts. Unfortunately, the website will then also have access to your contacts, and Google knows what else.

Anyway, even if Google fixed this problem already (I have no idea), it's yet another thing I have to worry about as a web developer :-P


No comments: