Contacts handled properly

(Warning: Serious “my eyes glaze over” stuff ahead, but better to talk about it than not.)

Google has a way to store contacts in JSON form. JSON stands for (JavaScript Object Notation), and it means that data can be loaded and parsed directly by JavaScript. Unfortunately, a security hole meant that other pages could also access this contact data. (Not to worry, I believe it’s all fixed now.)

This was first noticed on, since they recently launched a feature that allows you to mail videos to people on your contact list, and people noticed the fact that we were using this new method to invoke contact list info. After the video team patched their problem (within a few hours), it was discovered the same problem existed on a few other Google properties as well (for example, Google Groups and Google Notebook).

The properties were fixed in a variety of ways: On some of them, we immediately fixed the code to properly stop JavaScript. On others, the urls were blocked until the next push of that service will happen. I believe the security folks have everything fixed now, but the multiple properties involved is why it kept seeming like we didn’t properly ‘fix’ the problem at first.

As always, if you see security-related problems, please contact Google’s security team (the upshot of that page is to email security at One last point I wanted to mention is the difference between client/desktop applications vs. services such as web-based applications. Applications on client computers can take a long time to get fully patched (if they do get patched). Deploying a server-side security fix is generally really fast. Even this situation (where several Google properties needed to be changed) yielded a much faster fix than patching so many client-side applications, and much of this was happening on New Year’s Eve and New Year’s Day when most normal people are sleeping off the night before. 🙂 I do think that server-side software often helps companies with faster release cycles and easier fixes.

10 Responses to Contacts handled properly (Leave a comment)

  1. Matt

    I give up 🙂

    I promiss not ask anymore about 2007 Grabbag.

    Don’t wish Mrs Cutts to wake up and smell the coffee 🙂

  2. Thanks, Harith. I gotta work off a list o’ things I want to talk about, and January is normally a busy month (setting goals for the year, assessing the last year, stuff like that), but I promise that I will keep a grabbag post in mind. 🙂 The Google webmaster group isn’t a bad place to try grab-bag questions, either.

  3. They were ringing in the new year making security patches? Poor googlers. Thanks for a job well done and keep up the good work!

  4. Very nice open discussion, Matt. And you make a great point about server-side applications, too.

    And if you’re taking grab-bag posts, I would like to learn more about Google’s plans for the Blogsearch. Like, will they get their own blog? Will they get more servers (the run-time errors are driving me nuts!).

    And I recall you said you woud pass on a request to the CSE team a few weeks ago to include supplemental pages in the custom indexes. I’d like to amend that request to make it optional (or, better yet, let us provide an option to the users to see either Main Index, Supplemental Index, or Both).

    And then I would be interested (on the gadgets side) to see you discuss some more stuff about Google video and ways people can work with it.

  5. Matt,
    Who do we contact about the google directory being so out of date?

    If you check out this link :

    You can see that the copy right at the bottom is 2 years old. I have been in DMOZ for two years but have yet to be listed in the google directory page.

    Who can I contact?

  6. Matt,
    Thanks for writing this article, and I really think the speed at which Google fixed this problem is outstanding — especially considering this all went down on a holiday!

    I applaud all the Googlers who spent their holiday keeping the rest of us safe — we really appreciate it.

  7. Happy to help; I’m glad we’ve got really good security folks (both web server-side and for client applications).

  8. i must follow up gid’s comment google directory still points to old security website i had and that has been droped by mistake by me and it still apears higher than the results of my new domain editors dont keep up the pace

  9. thnxx

  10. Hi Matt,

    I was wondering if google penalize a website if they copy content from other websites. One website copied my content and they ranked #1 whereas I am #5 from same content. I published a week before them and I had original content.

    This is not first time I am seeing this. I find so many times that people copy contents from my websites and they rank higher.