By Asher Moses
January 2, 2007
A serious flaw is discovered in Google's free email service allowing
hackers to steal users' entire contact lists.
To exploit the flaw, the hacker would add a piece of code to their
website server, which in turn gave them access to the Gmail contacts of
passing browsers, so long as they were also signed in to their Gmail
account in another window.
The hacker could then add the stolen contacts to an email spam database,
or sell them to other spammers.
Gmail, the third most popular free web-based email service, has been
embraced by both personal and business users alike, largely because it
allows for easy access to messages from any computer worldwide.
Google's security team appeared to have fixed the flaw within hours, but
various subsequent reports suggested the fix didn't address the full
extent of the issue.
Further, it is understood that spammers were exploiting the security
hole for quite some time before it was discovered.
The simplest way to avoid being exposed is to sign out of Gmail when it
is not in use.
News of the flaw came just days after another, separate Gmail security
issue was revealed. From late December, some Gmail users - 60, according
to Google - logged in to their accounts to find all of their emails and
contacts had been automatically deleted.
User complaints soon flooded Google's Gmail support discussion board,
but some of the lost data could not be retrieved.
Google was then forced to work with each affected user to help them
restore their messages from any personal backups they may have made.
But it is not just Gmail security flaws that have been detrimental to
Google's goodwill leading into 2007. It has also been accused of
monopolistic behaviour, through listing its own products at the very top
of search results for terms such as "calendar", "blog" and "photo
This practice is shared with other internet search providers such as
Yahoo and Ask, but Google's actions in particular have caught the ire of
internet users who expect the company to live up to its idealistic
corporate motto - "Don't be evil".
Most notably, Blake Ross, a co-founder of the Firefox web browser, last
week criticised Google in his blog, suggesting it had lost its moral
Matt Cutts, head of Google's webspam team, responded to Mr Ross' claims
on his own blog. Surprisingly, he agreed with many of Mr Ross'
"I'd remove these tips or scale them way back by making sure that they
are very relevant and targeted," Mr Cutts wrote.
Google also came under fire last month when it was accused of
manipulating the results of its top 10 search term list, published
Google later clarified that the list was compiled based on changes in
the most popular searches on a year-to-year basis. Generic and offensive
terms were not included.
Technology industry commentators have suggested that, when combined, the
relatively minor issues could have a profound effect on Google's public
perception, which has remained largely untainted since the company's
"This subtle shift in public attitude could signal a tidal wave of
negativity down the road," said Michael Arrington, author of the popular
Subscribe to InfoSec News