- Send the victim’s Gmail account an email with a link you can persuade them to click on, to a page under your control
- On that page, have a <script src=”…”> tag accessing the well-known URL for getting the address book
- Gmail happily sends back the data, as the person is logged into Gmail and so the request has the correct cookies
- Override the anonymous Array() constructor with a function of your choice
- When the data arrives, the JS engine calls the anonymous Array constructor (even though it plans to throw away the result, as it’s not assigned to a variable), and therefore calls your function on the address book data, giving you access to it.
- Ajax has new security risks associated with it
Hmm. Would it break much of the web if we failed to send cookies on <script> src requests which were cross-domain?