More Google security failures

Google Base arrived recently, sharing the same domain as gmail, so cross site security holes in Google Base will allow access to all the gmail emails, as well as XSS phishing attacks using the google brand. Of course as you would expect for a new product from a major internet company, there’d obviously been no security testing whatsover and there were trivially obvious XSS holes in it.

Like the yahoo programmer last week, the incompetent google base programmer had simply taken a parameter from the querystring, and written it unencoded into the document. So a query http://base.google.com/base/search?a_n427=<script>alert(1)</script>&a_y427=0&a_s427=0&a_r=2 performed the alert, this was fixed about 5 hours after I reported it, showing again that google don’t care about the security of our data enough to not release clearly insecure software.

Like last year googles response to the email report was nothing, there wasn’t even an autoresponder on security@google.com, so other than by watching for it to be fixed did I learn that it was at all. Like the gmail security flaw google appear to have a complete silence approach to security, I guess they think what the public don’t know can’t worry them. I can’t understand the motivations behind not acknowledging and thanking a reporter of a security flaw, the alternative for the people who find these flaws are to get rich abusing them, or publicising them allowing other people to get rich abusing them. Surely “thanks for your bug report, we fixed it” email is a small price to pay for not having to hire your own QA team?

Google Base is beta, so bugs are perhaps to be expected, but I can’t understand why Google don’t have at least some security testing, would the publicity of a breach not be a PR disaster for them? Like I said last week, host the Beta on a seperate domain.

Comments

  1. Anonymous Says:

    i can’t agree more with you

  2. alberto666 Says:

    Google Base bugs can be expected, but not to be able to access gmail accounts by Google Base bugs. Not for a company like Google.

  3. Anonymous Says:

    I applaud google for not disclosing their security mesures. First off with all of the issues that occur on the internet, 9 out of 10 hacked sites come from public information released about security holes. When google stated to keep a hush hush approach to security, they are doing so to protect their rights and intrests, and to keep the hackers from learning more about the security flaw. The author of this article is like every other journalist, they don’t think about the pro’s and con’s. I have been in the IT industry for 10 years and I see it every day.

  4. » Google Base Security Flaws  InsideGoogle » part of the Blog News Channel Says:

    […] According to Jim Ley, simple and obvious security flaws in Google Base, because it is hosted on the same domain as Gmail, allow an attacker access to Gmail emails, as well as the ability to perform phishing attacks. He argues that Google should hold all betas, which are more likely to be insecure, on a seperate domain from google.com (like googleplus.com, which Google owns). Google Base is beta, so bugs are perhaps to be expected, but I can’t understand why Google don’t have at least some security testing, would the publicity of a breach not be a PR disaster for them? Like I said last week, host the Beta on a seperate domain. […]

  5. Anonymous Says:

    As I understand it, each subdomain has a seperate cookie, and so compromising base.google.com’s cookies will not allow one to access mail.google.com. In other words, while it appears there was a security hole with google base for a short while, the extent of the damage to a user would have been limited to just their google base account contents.

  6. Programación e Internet » Blog » Posible grave vulnerabilidad en ‘Google Base’ Says:

    […] Según asegura Jim Ley en este post de su blog, el recientemente presentado servicio ‘Google Base’ pudo estar expuesto durante varias horas a una grave vulnerabilidad que habría permitido acceder a cualquier cuenta de Gmail. […]

  7. Jim Ley Says:

    Anonymous, it’s not cookie stealing that’s the issue, it’s simple cross domain scripting, many google pages have document.domain set to google.com, this means regular cross domain calls can be made between frames hosting *.google.com sites, so once you get onto any .google.com, you can get anywhere else, certainly the person would need to be logged in to their gmail account or similar, but then google single sign-on ensures that for us anyway.

  8. VOR Says:

    What makes you whiners so sure you were the first person to break any purported vulnerability? What if Google, Yahoo or MS secretly gave $ to the first third-party who told them and didn’t acknowledge subsequent bandwagon attempts to publicize a vulnerability? Plus with publicity hungry friends like you calling folks “incompetent programmer” and the such, I’d be hard pressed to thank you for anything. Especially knowing that doing so would only prolong the spotlight of the problem (don’t say a major company thanking you wouldn’t make at least 2 more of your jibberings…) This way the problem once fixed quickly dies a silent death.

  9. Jim Ley Says:

    I have no doubt other people found the vulnerabilities before me, that’s why they’re so bad, the vulnerabilities are so trivial to find and exploit, it’s quite likely Mr Bad Person has found them first.

    I really don’t want $ from the companies, I want reliable secure software, I also don’t want your thanks, it’s no use whatever. A major company thanking me wouldn’t do anything to stop the blog entries, however as you say there’s no point me reporting the security flaws in the sites, they’ve likely already been found by someone else, I’ll probably just blog about them, rather than sending the email in future.

  10. VOR Says:

    Quoting:
    “..the vulnerabilities are so trivial to find and exploit, it’s quite likely Mr Bad Person has found them first.”

    - Said like a true spinmeister. I’m expecting a winfixer popup to showup any second now..

    More:
    “..I really don’t want $ from the companies, I want reliable secure software,”

    -Ahh, that’s the rub. Base and Maps are a service, not “software” correct? While still a black eye, this isn’t as inexcusable say as downloading and installing software (let alone software you buy) that opens your computer to bad guys. I think you (possibly inadvertently) compare apples to oranges in this case; there will always be “man in the middle” vulnerabilities as long as we use the internet in its current form.

    Finally:
    “I also don’t want your thanks, it’s no use whatever. A major company thanking me wouldn’t do anything to stop the blog entries, however as you say there’s no point me reporting the security flaws in the sites, they’ve likely already been found by someone else, I’ll probably just blog about them, rather than sending the email in future.”

    - I think you’re mistaking me for someone else, (someone whose opinion even indirectly represents those you speak of), I’ll clarify now that it’s not; I’m much too “evil” for one group, and too cool for the other. But the funny thing about your statement is that there will always be eyeball hungry bloggers/site owners who will publish this stuff quickly. Perhaps this *is* the preferred medium to convey this information. (Barring your having an inside email address to project managers). Otherwise you have to filter through the normal customer service channels. Kinda sad, but rock on, you’ll end up assisting either way.

    However, note that by perusing your site, I see no further demonstration of “good will” in terms of educating users against malicious intent. In fact I see nothing substantial but condescending “I’m smarter than them” comments about various services. This lack of directive certainly skews the perception of any purported good will within an otherwise fairly dumdrum site. These posts sure bring in the eyeballs though, don’t they?

  11. Anonymous Says:

    :P secure ?

  12. Jim Ley Says:

    VOR, Google Base, Yahoo Maps are software, there’s no distinction to script/html you download and execute immediately to software you install, any code I authorise to run on my system is the same. A pure web-page with no client-side script, maybe then it’s a service, but these products are software. Not that really matters, and these certainly aren’t man in the middle attacks.

    Yes, it’s unfortunate but publicity is the only way to get people to respond, you generally cannot get through customer service droids (and online beta software generally has none of that anyway), I’m not a security professional, I’m a developer, I’ve found 4 flaws in websites in all my years, Tesco’s (a non-SSL’d credit card submission) required me to call the BBC to get it fixed, they had no way past their drones at all, Google’s first required 2 years and a bugtraq publicity, google’s 2nd they seemingly fixed with just an email. Yahoo responded as we would expect. My site isn’t about security, no-one should try to find it for information on educating users, I don’t want to educate users they are not my audience, and I certainly wouldn’t recommend anyone read a random site to pick up security tips, that’s part of the problem.

    As to blogging for hits, the posts have brought no noticeable change in the size of hits, the blog is still swamped by requests for other pages on the site, the javascript FAQ or xml http request article, in particular.

  13. Anonymous Says:

    and there u go another leak in your forum :)

  14. Mike Says:

    Google is gewoon Kut

  15. » Google Security Failures - SEO BUZZBOX Says:

    […] Here is a post by Jim Ley whose points are hard to argue with. […]

  16. Anonymous coward Says:

    Stop whining. Want us to come over to you and thank you for discovering a bug? Big deal… We discover bugs on a daily basis. What’s new? And yes, it’s a BETA, and no-one forced you to use it.