Gmail Contact List Hacked

Dennis Faas's picture

Right before the New Year, Google received a nasty surprise. Gmail users were susceptible to having their contact lists stolen and used for malicious purposes.

In order for the bug to activate itself, people had to be logged into Gmail and then go to a website designed specifically to exploit the vulnerability. Signing in to sites such as,, and Google Docs & Spreadsheets also left people in danger of having their contacts stolen. That's because those services are all linked to Gmail accounts.

The competition between Internet Explorer and Firefox didn't matter in this instance. The contact list hijacking hack worked on both browsers -- and Opera.

As Alex Bailey wrote on the Cyber Knowledge blog, "I guess this is why [Google keeps] the service in beta."

But Google didn't achieve Internet dominance by slacking off. The company's hard-working crew had the problem fixed by New Year's Day! (Source: - 1 and 2)

It took Google about 30 hours to fix the bug. The holiday presumably delayed the proceedings a bit. (Source:

A Google spokeswoman from London later confirmed that the problem had indeed been taken care of. (Source:

Readers of the Slashdot website were quick to voice their opinions. Here are a couple of handy observations and tips:

Slashdot user 'mabu' weighed in with his advice -- and a prediction:

"This is only a problem for people who are violating one of the primary security policies in the first place, and that's putting your contact list in Gmail in the first place. While Google may claim to not be evil now, there's no guarantee at any time in the future, all the information they collect from you and on you won't be given or sold to other entities or otherwise exploited for nefarious purposes. In fact, it's pretty much an inevitability this will happen, so it's not smart in the first place to store much information on their systems when more secure alternatives already exist."

Another reader, 'Dystopian Rebel', posted a warning:

"These problems will not go away. Software engineers will always make mistakes and malevolent people will always want your private data. The Web is 'open' by design and therefore open to exploits.

With the Web browser becoming an application portal, users need to understand that doing transactions that involve their personal data must be separate from general Web browsing.

You can switch off cookie permission and Javascript but this limits the functionality of many sites. I think the best solution is to use two different browsers, one for personal transactions, the other for wandering the Web." (Source:

Rate this article: 
No votes yet