digg

Join DiggAbout

Donkeys and Elephants and Delegates,oh my!
Check out the most popular Elections 2008 content on Digg.

GMail Hacked: Visit ANY Website, and Your Whole Contact List Can be Stolen

epodaeta.notlong.com — Works in Firefox, Opera, and IE. This link does not link directly to the exploit for obvious reasons.

Bury
show profanity settings
expand all
  • kubix, on 10/12/2007, -5/+38WOW, this is pretty cool, it showed me all of my contacts when I was logged in. This sucks because I am always logged in.
    • 47knight, on 10/12/2007, -5/+91Same, over 600 of my contacts were exposed, and most of these are users from my site.

      I'm digging this in hopes that Google will fix this.
    • HaxityHaxHaxed, on 10/12/2007, -7/+51@47knight

      The original site says Google has been notified, but this should give some motivation.

      I should also note this is a dupe of the original story which can be found here:
      http://digg.com/security/Gmail_Bug_Your_Gmail_Contact_List_is_Being_Expose_to_Spammers

      I duped it because I feel it's very irresponsible to link to the actual malicious source. Giving users to choose is more appropriate when exposing potentially thousands of people to it with no warning. Sure he says he's not saving the emails, and he most likely isn't, but it's definitely not worth the risk.
    • Bartboy919, on 10/12/2007, -4/+22Hopefully this is fixed quickly, I know many people who rely on Gmail other than traditional pop mail.
    • jeeraz, on 10/12/2007, -136/+0http://endway.net/web/dodged.php?ID=16
    • igraham09, on 10/12/2007, -42/+4[edit] wrong post, bury promptly
    • toppgun, on 10/12/2007, -0/+16it said my email was xxxxxxx@xxxxxx.com even though it really is yyyyyy@gmail.com
      its good to an extent, it got most of my contact list but it missed a few and it incorrectly identified me
    • neuros, on 10/12/2007, -1/+5@toppgun
      it incorrectly identified me, too. thought I was my own mother. that... would be a little too weird for me.
    • kalleanka, on 10/12/2007, -4/+14"For security reasons the code use in this example has been, err, encoded."

      And here is the script decoded. :)

      Edit: replace [ with <



      [script>
      //Google pwned
      function google(a){
      var emails;
      emails = "[ol>"
      emails += "[li>"+a.Body.Contacts[0].Email+" [font color='red'>[--- Your email[/font>[/li>"
      for(i=1;i[a.Body.Contacts.length;i++){
      emails += "[li>"+a.Body.Contacts[i].Email+"[/li>";
      }
      emails += "[/ol>"
      document.write(emails);
      }
      [/script>
      [script src="http://docs.google.com/data/contacts?out=js&show=ALL&psort=Affinity&callback=google&max=99999">[/script>
    • synystar, on 10/12/2007, -1/+41Thank goodness. I was beginning to think that no one cared about my contacts.
    • kalleanka, on 10/12/2007, -0/+6@kubix:

      This is NOT fixed. It still works.
    • bias, on 10/12/2007, -11/+4WTF you guys talking about, Google is never wrong, they must have a reason! err.... it's either Microsoft's Fault or they have a really good reason!

      Opps, better switch back to hotmail.
    • Freddy36, on 10/12/2007, -10/+1=========== TEMPORARY SOLUTION ===============
      =========== TEMPORARY SOLUTION ===============
      =========== TEMPORARY SOLUTION ===============
      Block access to the page, I use AdBlock (Firefox) and additionally it's blocked by my local squid guard.
      http://docs.google.com/data/contacts?out=js*
      gmails contacts are still working
      =========== TEMPORARY SOLUTION ===============
      =========== TEMPORARY SOLUTION ===============
      =========== TEMPORARY SOLUTION ===============
    • kuza55, on 10/12/2007, -1/+5@Freddy36

      What about URLs which look like http://docs.google.com/data/contacts?max=99999&out=js&show=ALL&psort=Affinity&callback=google

      That won't do it, you need to block http://docs.google.com/data/contacts?* but then a bunch of Google stuff might stop working.

      Also, did you guys know Google also provides it in XMl form? http://docs.google.com/data/contacts?out=xml aren't they nice, :p Don't worry the xml output isn't exploitable (unless you can somehow get a non-restrictive crossdomain.xml type file up there somewhere....), :p
    • weirdness, on 10/12/2007, -9/+2"Hopefully this is fixed quickly, I know many people who rely on Gmail other than traditional pop mail."

      Traditional pop mail. I bet I could ask a hundred random people on the street today and not one of them could tell me what "POP mail" is. =)
    • trollenlord, on 10/12/2007, -11/+2I fail to see any real security problems with this. Someone can see couple email addresses? So what? It's not like if they can get past the spam filters if they decide to spam them. There's really nothing anyone can do with a bunch of email addresses.
    • tybris, on 10/12/2007, -2/+4Blocking http://docs.google.com/data/contacts?*out=js* will do the trick.
    • kuza55, on 10/12/2007, -1/+2@tybris

      Here have a counter example: http://docs.google.com/data/contacts?max=99999&out=%6A%73&show=ALL&psort=Affinity&callback=google

      :D

      Don't worry there are still other encoding methods out there as well.

      You might get away with blocking http://docs.google.com/data/contacts?*out=* but I'm not 100% sure.....
    • haochi, on 10/12/2007, -1/+22Hi, I am the one that found the bug.

      First of all, I am sorry if it causes any inconvenience, or if it make you feel insecure of Gmail. *I apologize*.

      The intention that I submitted to Digg was only to Google's attention to fix the bug, since I have contact them for hours, and they have failed to done so. (and the bug hasn't yet be fixed.) I would have never ever think of any one would paste the clear code out, although it's encoded a little, but I know that it's easy to decode - Firefox comes with a cool feature.

      Once again, sorry to anyone for any inconvenience and sorry for this new year's gift to Google.
    • worthawholebean, on 10/12/2007, -6/+1This is a very simple XSS attack, similar to the Myspace worm that went around a little while ago. There isn't really much Google can do about it; a script can always simulate a human clicking on the contacts button. Even if they fix the "out" script, it will still be attackable.
    • GamingNews, on 10/12/2007, -6/+1Why are you always logged in??

      I would have maybe considered this article worth digging if it was pointing to the original source on googlfied. As it is, it just looks like another lame attempt to get blog traffic, and even worse, it appears to have worked. Yet another digg miracle.
  • HaxityHaxHaxed, on 10/12/2007, -22/+2Delete.
  • netdroid9, on 10/12/2007, -1/+24NoScript appears to stop this from working.
    • konig12, on 10/12/2007, -0/+2Apperantly only if the settings are correct. It didnt prevent it for me, just messed up the formatting. Time to fix that.
    • Dmitrik, on 10/12/2007, -2/+1Only if you don't have googlepages.com set as allowed.
    • NiroZ, on 10/12/2007, -0/+1well it should block cross site scripting at least, meaning that unless they send you to the actual page, you should be safe.
    • gklitt, on 10/12/2007, -2/+7Ah, Steve Gibson's "dont use scripting" advice comes in handy again.
    • vango, on 10/12/2007, -0/+0thanks i'd never used NoScript before and now i will. gratzi
  • ldavid, on 10/12/2007, -5/+3Ouch...scary stuff :s
  • tommajor, on 10/12/2007, -4/+12so disable javascript except on trusted sites.
    • Cglass, on 10/12/2007, -7/+2Pansy, you should try living a little; IE6 w/ JS and ActiveX Enabled on all domains with full access to anything. Haha just playing, I'm not CRAZY O_o
  • kd5ftn, on 10/12/2007, -1/+13Yikes! I'll stick to using my gmail via pop3!
  • jonmon6691, on 10/12/2007, -4/+19WOW, some great news to start '07
  • sishgupta, on 10/12/2007, -0/+6It got "my email" wrong but the rest worked. A workaround (till its fixed) to this is to always log out of gmail before using any other sites.
    • headzoo, on 10/12/2007, -0/+6That's kind of a problem though. Google (not so wisely) chose to use a global login. So for those of us using other Google features, like the personalized home page, logging out of GMail also means logging out of those services. That's probably half the reason why most people just stay logged in.

      I imagine email harvesters will have a field day with this.
    • gaijin, on 10/12/2007, -0/+2I don't know...I use personalized home page but check my email with thunderbird and it didn't see my contacts.
  • KnightMareInc, on 10/12/2007, -21/+3reminds of the "WE KNOW YOUR IP LOL" or "HERE IS YOUR FILES LOL" banner ads, can a site really save the contracts or what?
  • jonmon6691, on 10/12/2007, -1/+5Are we sure this isnt just client side script or does the server have access to the addresses?
    • konig12, on 10/12/2007, -1/+7Does it matter? Any client script could send the information to a server.
    • M4v3R, on 10/12/2007, -0/+7This is a Javascript code, but it could easily save your data by sending it via AJAX or Iframe form to a PHP script. I've checked the code and it doesn't, so You can sleep calmly.
    • KAMI_no_kodomo, on 10/12/2007, -2/+3@konig12

      yes it does matter and yes its only client side code. Or at least it needs it.
      And since I run NoScript in my firefox and only allow trusted sites to run javascript it doesn't work here.

      So the fix is. Use NoScript in Firefox. Or allow only trusted sites javascript in _how is that microsoft browser called again?_

      And stop craying. Javascript is enorm insecure. There exist complete portscanners and even server attacks in javascript. Welcome in web2.0
  • xelloss, on 10/12/2007, -3/+2Dude, I was wondering why my Main Email was getting so much spam in Gmail all of a sudden, must of got my good email off of my spam email...hmm or something else, idk, hope this is fixed though.
  • lozaning, on 10/12/2007, -14/+2am i the only person who doesnt really care if my contacts are out on the interweb. i dont do anything serious with my gmail account, sometimes email Friends and read newegg adds. that being said contacts are one thing, if it were my actually emails i would freak
    • ShitHappens, on 10/12/2007, -1/+23I think your contacts might care.
    • oceanmoon, on 10/12/2007, -1/+3My gmail is sacred...of course I care!!!

      (and so won't everyone on my contact list who gets a subject line with: "plz fix your accountz imMediateLy")
  • Progranism, on 10/12/2007, -3/+8Here's how it works:
    The GMail page mentioned:
    http://docs.google.com/data/contacts?out=js&show=ALL&psort=Affinity&callback=google&max=99999
    Is a javascript file that calls the function "google" with an array of all your contacts. What this hack does is declare the function "google" and then include that JS file. Simple as that.
  • centic, on 10/12/2007, -2/+7well.. thats upsetting
  • markthegoth, on 10/12/2007, -1/+4what about safari?
    • M4v3R, on 10/12/2007, -0/+5It should work in *every* browser that supports and has Javascript turned on.
    • shyguy01, on 10/12/2007, -0/+2Can confirm it works in Safari 2.0.4 (latest)
    • markthegoth, on 10/12/2007, -1/+3damn ( >.< ) i hope they fix this soon.
      I don't really care if its still "beta" its been beta for too long anyway, if their excuse is that its still beta then the final realease will have to be PERFECT for me to be happy.....
  • adamjacobmuller, on 10/12/2007, -3/+1the deobfuscated code is at http://blog.adamjacobmuller.com/gmail.txt
    • JamesWilson, on 10/12/2007, -0/+4It'd be easy for them to fix this, just check for the referer, make sure it is gmail.
    • kuza55, on 10/12/2007, -0/+1@JamesWilson

      They *could* do that, but it wouldn't be the cleanest solution since a lot of people have referer blocking software on their computers. And I don't think google would want to start breaking things. But we'll see.
    • JamesWilson, on 10/12/2007, -0/+3Another option is to encrypt all the data based on a key that is known by the gmail session and decrypt it client-side.

      Another possible fix is to not hand out the contact list without a unique token passed in the querystring.
  • 1911wolf, on 10/12/2007, -4/+2I posted this in the other topic, may as well post it here:

    So, the solution is to logout of your GMail session? Shouldn't you already be doing that? Maybe I'm in the minority here since I don't leave any web site session logged in.
  • kuza55, on 10/12/2007, -4/+2Goddammit, this is one of the things I really hate about blogs, it gives people an excuse to rip other people's content, comments, work, etc, and not even credit them, and no-one seems to care, and the original source ends up being completely ignored.....

    @elmasri

    Is it really such a big deal? its cool, really cool if you ask me, but is it a huge security glitch? Only if someone pumps out a worm before Googlepatches it. Sure, its possible, and it wouldn't take too long, but I think most of the people who could wouldn't bother.
    • HaxityHaxHaxed, on 10/12/2007, -2/+5Actually this is my blog and I posted directly in the Digg comments where I found it, and why I duped the post. The source was the malicious content! There is no reason to send Digg users to something potentially dangerous with no warning...
    • kuza55, on 10/12/2007, -7/+4How is it malicious, you can clearly see (if you decode it - or look at one of the many decoded copies floating around) that all it does is show them to you, ok so it is encoded, but that doesn't mean its malicious, thats just a user trying to protect google (ok so decoding it and posting it might not have been the best thing to do, but I'm not too fussed, :p), the next thing you'll say is that an XSS hole which alert the word "Hi" is malicious.....

      Ok, so you posted where you got it from in the comments on digg, but firstly most people don't read comments, secondly, not everyone who goes there will go through digg, so wouldn't it make more sense to post it in your blog which people are actually reading?
  • dainBramage, on 10/12/2007, -1/+15Hmmm, maybe Gmail really is still in BETA!
    • kuza55, on 10/12/2007, -1/+1@blacklint

      You know, the funny thing is you can decode that in seconds using the Web Developer toolbar, and I'm sure he spent at least a good 5-10 minutes or so encoding it......

      Gah, replied to the wrong post - its addressed at the post (currently) right under mine.....
  • blacklint, on 10/12/2007, -0/+2Scary. And that guy really went all out obfuscating the JavaScript... you need to get to the hmm... 4th layer to see just how good it is. Too bad that you can't actually secure JavaScript: it took me not all that long to get down to the actual source (it felt like notpron).

    The good news: The example site is true to it's word and is not stealing your contact list.
    The bad news: It would be trivial for a person with say... worse intentions to get the entirety of your contact list (complete with any added phone numbers and addresses, which is not shown in the example)
    • blacklint, on 10/12/2007, -0/+1Alright, this is interesting... @kuza55 (see the accidental reply to the post above me)

      So that's how everyone else did it. My way with making changes to the JavaScript to unencode each layer and output it instead of interpreting it was apparently a big waste of time, but more fun ;)


      Eveyone else must never have gotten to see some of the pointless code, such as...

      function dF(s){
      var s1=unescape(s.substr(0,s.length-1)); var t='';
      for(i=0;i
    • kuza55, on 10/12/2007, -0/+1Well, I'm not sure if thats how otrhers did it, but anyway, if you use the view generated source feature of the toolbar it shows you all the stages, because the ajavscript just keeps writing to the page, and doesn't delete any of its stages. Id he had made the javascript delete itself from the DOM after executing we would have had to go through it all, but yeah, not in this case.

      On a side note, from the way I did it there could potentially be code in there hiding from my method by deleting itself, but I was also running the LiveHTTPHeaders extension (just in case, you know), so if it was sending my data offsite, I would have seen it.
  • Vision2098, on 10/12/2007, -3/+2404'd
  • gravis86, on 10/12/2007, -0/+4...And yet another reason to use NoScript...
  • bertboerland, on 10/12/2007, -0/+3wowsers, the "retrospective perditions of 2007" by http://www.heise-security.co.uk/articles/83058 is already done with this part

    they wrote a document in 2006 as if it was 2007 and did the security highlights of that "past" year. Guess what:"
    the private mails of thousands of GMail users could be accessed via the search front-end for at least one hour.

    Well, not exact right but to see that this year started with compromising all contacts is bad enough.

    BTW: what ever happened to giving a vendor two weeks to fix it before going public with an exploit? I mean 1/2 an hour! that's absurd, even for the best security team in the world. I think the guy was just "hits horny" and not driven by making the web more secure.
  • SniperDuty, on 10/12/2007, -2/+0I dig
    BTW I use the web browser Flock with photobucket resources, and the page displayed nothing about me or my contact list. Maybe Flock isn't afflicted.
  • Yazoo, on 10/12/2007, -2/+0I'm not even logged in GMAIL and it still works!!! Try it for yourself.
    Where's it getting the list from?
    • kuza55, on 10/12/2007, -0/+2@ Yazoo

      If you're logged into any of google's services other than Adsense (thats Blogger, Analytics, Orkut, etc), then you're logged into Gmail as well.
    • Yazoo, on 10/12/2007, -2/+0Nope, i'm not logged into ANYTHING to do with google. I'm not even on google.com. Strange.
    • guensberg, on 10/12/2007, -1/+1My guess is: from your browser's cache.
    • jonmon6691, on 10/12/2007, -0/+0goto gmail.com and click the sing out link in the upper right
    • seventoes, on 10/12/2007, -0/+1'Logged In' doesnt mean 'On gmail.com', as long as the login cookie is still on your computer. Eg: if you can go to gmail.com and it shows you your email without having to put in your password again
  • gabeN, on 10/12/2007, -2/+1boogle...
  • rabidphage, on 10/12/2007, -3/+0i predict lots of good content in the coming weeks to lure you to sites specifically designed to steal gmail contacts and spam you and your contacts to death.
    might as well enjoy the ride as i aint got nothing to do with gmai other than my spam email address.. gmail is my very own spam archive..
    i for one don't welcome the online overlords
    muhahahaha
  • erikocc, on 10/12/2007, -0/+1for those asking does it work in ***** browser?
    it works in camino and safari and ie6 for mac.
  • rabidphage, on 10/12/2007, -5/+0http://www.engadget.com/2005/05/07/google-down-google-hacked-not-hacked/
    google hacked.......pwned
    muahahaha
  • AceHigh, on 10/12/2007, -1/+1well done, i guess google will be fixing it in the next couple of days...
  • m3mn0n, on 10/12/2007, -4/+81. Everyone should get the NoScript extension for Firefox. Disable javascript globally and then only allow select sites the ability to run JS in your browser. That will fix this security hole and many others.
    2. This is Ajax security gone bad. I wouldn't be surprised if many other web 2.0 sites that passes sensitive data via Ajax had this sort of a security issue.
    3. To the idiots that are posting code on how to exploit this.... STFU! This is an un-patched security hole and spreading around code only makes this issue worse.
    4. The fact that this article links to the exploitable data is bad enough. We didn't need to see that, that only helps people wanting to steal data know what file to use. All the public needed to know was a security hole exists and Google has been notified. FFS... whoever blogged this seriously needs to take some lessons from the big companies who find/report on Windows security holes.

    Do you see those guys posting code and linking to resources to help hackers?
    • kuza55, on 10/12/2007, -2/+4This whole comment is directed at m3mn0n's post:

      @point 3:

      Oh noes, people are giving out information, it must be suppressed, or at least thats what you seem to be saying. Can anyone else see something wrong with that, or is it just me? Seriously though anyone who can modify this code to steal your email addresses could deobfuscate it. All that providing the code and explanation of how it worked did was give those who can't a greater understanding of what NOT to do when writing code.

      Sure, it could have been posted afterwards, but almost no-one wants to read about something which has been patched. And frankly I'm sure thats what most people who post content are interested in - readership.

      And please don't call people idiots when they clearly aren't. They might not share your moral convictions about disclosing information, but that certainly doesn't make them idiots.

      @ point 4:

      Ok, you didn't need to see it, but I certainly did. And saying that you should do what the "big companies" do is just silly, "big companies" have completely different goal - they have a product or service to sell, and their job is to convince you that they can perform a service better than anyone else, and that their products are the best, and they have the best people working on your problems, etc. Whereas bloggers want to post things which interest, and frankly posting details is much more interesting than posting that there is a flaw.

      @ "All the public needed to know ..."

      Frankly, I think that your desire to supress information is worrying, but I'm completely sure that there's no way of changing your views on that, so I'm not going to bother trying.
    • m3mn0n, on 10/12/2007, -2/+3don't try to spin this as if it's some sort of issue of free speech

      this is about protecting your typical non-geek internet user from having their privacy violated and their personal information exposed at the hands of some idiot who wants to steal that information for whatever reason

      what possible good does it serve to tell the masses where to and how to exploit recently discovered and un-patched security holes? seriously, arguing for promoting that sort of sensitive information to be mass marketed is retarded
    • zmx32, on 10/12/2007, -3/+1Enough of this crap of disabling javascript. At this point of time (AJAX means Asynchronous JavaScript and XML) this is no longer an option.
    • kuza55, on 10/12/2007, -1/+1@m3mn0n
      No, its not a matter of free speech (its more freedom of information thing), its a matter of people needing to know why this occured so that they don't make the same mistakes. Sure not everyone on digg is a developer, but a bunch of people here are, and without some kind of coverage and examples of the implications of these issues people will either not know they exist or will fail to remedy them in their own software.

      And I steel find your desire to supress _information_ (not speech), even if it is to 'protect' people worrying.
  • adolfojp, on 10/12/2007, -1/+10I wonder if diggers response would have been as mild as this had this happened to MS hotmail.
  • shyguy01, on 10/12/2007, -3/+3Google say it's been fixed

    http://blogs.zdnet.com/Google/?p=434
    • 100101111, on 10/12/2007, -1/+2Still works for me. Exept, that my e-mail address is showing wrong.
    • moktoipas, on 10/12/2007, -1/+1Corrected on "video.google.com" but not on "docs.google.com"
    • MrSunshine, on 10/12/2007, -0/+3"December 31st, 2006"

      It's 1.1. here and can still access the Javascript.
  • DenDen, on 10/12/2007, -8/+4I will say this every time, Google is no good.
  • Hyperreality, on 10/12/2007, -3/+1I get a 404 error when I click on the link!
  • Bottomless, on 10/12/2007, -2/+4"Thanks for reporting this to us. We have identified and fixed the problem" — Google Security

    Mmm.... Google security, I owe you my hand to dance. My contacts are still showing though on that page.... even if it gets MY email wrong.
    • zonemen, on 10/12/2007, -3/+2It's because the contacts are still stored in your browser cache. Delete your cache and log back into GMail, and it should be fixed.
    • zcreem, on 10/12/2007, -0/+4Not true I cleared my cache and it still leaks.
  • nikolai, on 10/12/2007, -0/+7http://www.google.com/notebook/contacts?out=js&callback=asdf does the same thing so I'll block that one too for the time being
  • rabidphage, on 10/12/2007, -2/+1google homepage redirection.. i say a nasty hack
    http://www.engadget.com/2005/05/07/google-down-google-hacked-not-hacked/
  • preist, on 10/12/2007, -2/+0Hope they'll fix it.. I don't like the idea that someone has a script that can do this.
  • WallnutBoy, on 10/12/2007, -3/+2Google have gotta fix it! I've never been annoyed or upsetted by Google before in all my time of having an account...

    Hmm.. It is kinda scary that they managed this, though..#

    P.S Happy new year everybody!
  • fozzie, on 10/12/2007, -1/+3That's why I use NoScript, my favorite Firefox plugin.
    • riverrunner, on 10/12/2007, -3/+5My favorite is Ad Block Pro. IMO NoScript is like using a sledgehammer to kill a fly.
    • m3mn0n, on 10/12/2007, -2/+3AdBlock != NoScript

      apples and oranges
  • mentholmoose, on 10/12/2007, -1/+13Shouldn't be too much of a problem for me, because I have no friends, and therefore, no contacts. Woohoo.
    • m3mn0n, on 10/12/2007, -4/+2One of the few times it pays to be a loner, eh?

      Too bad for me and others with our contact list full of 50+ emails, phone numbers, and etc.
    • m3mn0n, on 10/12/2007, -3/+1I know. I know.
  • deathray, on 10/12/2007, -8/+1I just made a sample page with a little formatting. If you see a list of your contacts so can the spammers.

    http://vivekjishtu.googlepages.com/contactlist.html

    Just view the source of the page to see how its being done.
    • m3mn0n, on 10/12/2007, -2/+1and why the hell should people trust you not to be a spammer trying to harvest info?
    • deathray, on 10/12/2007, -2/+2If I wanted to harvest the info I would not post it on googlepages where there is no server side processing.
    • marnaq, on 10/12/2007, -4/+1deathray, you can use any other site for the saving of data. ***** you.
  • ragipy, on 10/12/2007, -6/+3Damn Microsoft when will they learn writing at least decent code... ohhh wait
  • fernyb, on 10/12/2007, -2/+1oh crap.
  • rasty, on 10/12/2007, -0/+2Not to make a bad situation worse, but wouldn't it be even more harmful if someone finds a use for the "AuthToken" available in the data returned from the incriminated function?
    Argh
  • cooldudevamsee, on 10/12/2007, -1/+1Does this work in Opera Mini ?
    • moktoipas, on 10/12/2007, -0/+0Yes, this is not a flaw in browsers, but in google website(s)
  • Namain, on 10/12/2007, -1/+2YAY for client side e-mail clients. Just install MS Outlook, Mozilla Thunderbird or use MS Outlook Express, configure them to use your E-mail account and this problem just goes away. You don't ever have to actually visit mail.google.com from your web browser.
    • haochi, on 10/12/2007, -0/+3Well, if you use other Google services that requires login, it will do the same trick. :)
    • spinchange, on 10/12/2007, -0/+2Thanks for kicking some SaaS, haochi ;-)

  • eaburk, on 10/12/2007, -0/+0Why doesn't google just get rid of the script that creates the contact list. Then whatever sites they have that use the function would break but at least until they have an ultimate solution to the problem my contacts wont be available upon request.
  • gabeN, on 10/12/2007, -0/+4It's a y2k7 bug...
  • Fetching more discussions...
    Show 51 - 61 of 61 discussions
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.