More Google security failures

Google Base arrived recently, sharing the same domain as gmail, so cross site security holes in Google Base will allow access to all the gmail emails, as well as XSS phishing attacks using the google brand. Of course as you would expect for a new product from a major internet company, there’d obviously been no security testing whatsover and there were trivially obvious XSS holes in it.

Like the yahoo programmer last week, the incompetent google base programmer had simply taken a parameter from the querystring, and written it unencoded into the document. So a query http://base.google.com/base/search?a_n427=<script>alert(1)</script>&a_y427=0&a_s427=0&a_r=2 performed the alert, this was fixed about 5 hours after I reported it, showing again that google don’t care about the security of our data enough to not release clearly insecure software.

Like last year googles response to the email report was nothing, there wasn’t even an autoresponder on security@google.com, so other than by watching for it to be fixed did I learn that it was at all. Like the gmail security flaw google appear to have a complete silence approach to security, I guess they think what the public don’t know can’t worry them. I can’t understand the motivations behind not acknowledging and thanking a reporter of a security flaw, the alternative for the people who find these flaws are to get rich abusing them, or publicising them allowing other people to get rich abusing them. Surely “thanks for your bug report, we fixed it” email is a small price to pay for not having to hire your own QA team?

Google Base is beta, so bugs are perhaps to be expected, but I can’t understand why Google don’t have at least some security testing, would the publicity of a breach not be a PR disaster for them? Like I said last week, host the Beta on a seperate domain.

30 Responses to “More Google security failures”

  1. Jim Ley Says:

    I have no doubt other people found the vulnerabilities before me, that’s why they’re so bad, the vulnerabilities are so trivial to find and exploit, it’s quite likely Mr Bad Person has found them first.

    I really don’t want $$ from the companies, I want reliable secure software, I also don’t want your thanks, it’s no use whatever. A major company thanking me wouldn’t do anything to stop the blog entries, however as you say there’s no point me reporting the security flaws in the sites, they’ve likely already been found by someone else, I’ll probably just blog about them, rather than sending the email in future.

  2. VOR Says:

    Quoting:
    “..the vulnerabilities are so trivial to find and exploit, itís quite likely Mr Bad Person has found them first.”

    - Said like a true spinmeister. I’m expecting a winfixer popup to showup any second now..

    More:
    “..I really donít want $$ from the companies, I want reliable secure software,”

    -Ahh, that’s the rub. Base and Maps are a service, not “software” correct? While still a black eye, this isn’t as inexcusable say as downloading and installing software (let alone software you buy) that opens your computer to bad guys. I think you (possibly inadvertently) compare apples to oranges in this case; there will always be “man in the middle” vulnerabilities as long as we use the internet in its current form.

    Finally:
    “I also donít want your thanks, itís no use whatever. A major company thanking me wouldnít do anything to stop the blog entries, however as you say thereís no point me reporting the security flaws in the sites, theyíve likely already been found by someone else, Iíll probably just blog about them, rather than sending the email in future.”

    - I think you’re mistaking me for someone else, (someone whose opinion even indirectly represents those you speak of), I’ll clarify now that it’s not; I’m much too “evil” for one group, and too cool for the other. But the funny thing about your statement is that there will always be eyeball hungry bloggers/site owners who will publish this stuff quickly. Perhaps this *is* the preferred medium to convey this information. (Barring your having an inside email address to project managers). Otherwise you have to filter through the normal customer service channels. Kinda sad, but rock on, you’ll end up assisting either way.

    However, note that by perusing your site, I see no further demonstration of “good will” in terms of educating users against malicious intent. In fact I see nothing substantial but condescending “I’m smarter than them” comments about various services. This lack of directive certainly skews the perception of any purported good will within an otherwise fairly dumdrum site. These posts sure bring in the eyeballs though, don’t they?

  3. Anonymous Says:

    :P secure ?

  4. Jim Ley Says:

    VOR, Google Base, Yahoo Maps are software, there’s no distinction to script/html you download and execute immediately to software you install, any code I authorise to run on my system is the same. A pure web-page with no client-side script, maybe then it’s a service, but these products are software. Not that really matters, and these certainly aren’t man in the middle attacks.

    Yes, it’s unfortunate but publicity is the only way to get people to respond, you generally cannot get through customer service droids (and online beta software generally has none of that anyway), I’m not a security professional, I’m a developer, I’ve found 4 flaws in websites in all my years, Tesco’s (a non-SSL’d credit card submission) required me to call the BBC to get it fixed, they had no way past their drones at all, Google’s first required 2 years and a bugtraq publicity, google’s 2nd they seemingly fixed with just an email. Yahoo responded as we would expect. My site isn’t about security, no-one should try to find it for information on educating users, I don’t want to educate users they are not my audience, and I certainly wouldn’t recommend anyone read a random site to pick up security tips, that’s part of the problem.

    As to blogging for hits, the posts have brought no noticeable change in the size of hits, the blog is still swamped by requests for other pages on the site, the javascript FAQ or xml http request article, in particular.

  5. Anonymous Says:

    and there u go another leak in your forum :)

  6. Mike Says:

    Google is gewoon Kut

  7. » Google Security Failures - SEO BUZZBOX Says:

    […] Here is a post by Jim Ley whose points are hard to argue with. […]

  8. Anonymous coward Says:

    Stop whining. Want us to come over to you and thank you for discovering a bug? Big deal… We discover bugs on a daily basis. What’s new? And yes, it’s a BETA, and no-one forced you to use it.

  9. Paul Says:

    For the next ugly Google or Yahoo bug you discover, how about emailing the company and waiting 24 or 48 hours to blog about it, gently?

    As long as humans program, companies will make mistakes. And gifted developers will be able to improve the world and be affirmed for their insights, while limiting the risk of helping the bad guys.

  10. Jim Ley Says:

    Paul, why would I wait more time after they’ve patched it, surely blogging as soon as it’s patched is all that’s necessary, what’s the point in waiting? and why do it gently if they’ve not even got the simple courtesy to reply to the email?

  11. phil ringnalda » Blog Archive » Linkstipation Says:

    […] More Google security failures: trivially obvious XSS holes really shouldn’t be how you want your “beta” described. […]

  12. Anonymous Says:

    Google is a junkyard, I only use the usenet archive. A search engine has no more value when all companies manipulate it for free advertisement. And google is not strikt enough, so who cares about google anyway. Concerning security, any data which a american company owns of you is unsecure, when they are sold anything can happen if it doesn’t already. americans only respect their own rights, so I never leave any information with american companies or organisations, if you did it is your own fault.

  13. Out of the way Says:

    Security Blankets

    Note: My security work has mostly been in dealing with service architectures and intrusion detection (and partly in bars, which is surprisingly similar in most of the basic concepts and approaches). I haven’t got a mon …

  14. Anonymous Says:

    Jim Ley: thanks! it’s hard to disagree with what you say.
    I am sorry that you have to endure the rantings of someone like VOR. He is not contributing anything to the issue or the discussion; only has too much time on his hands and hates to see other people like you doing something valuable with their time.

  15. Anonymous Says:

    i can’t agree more with you

  16. alberto666 Says:

    Google Base bugs can be expected, but not to be able to access gmail accounts by Google Base bugs. Not for a company like Google.

  17. Anonymous Says:

    I applaud google for not disclosing their security mesures. First off with all of the issues that occur on the internet, 9 out of 10 hacked sites come from public information released about security holes. When google stated to keep a hush hush approach to security, they are doing so to protect their rights and intrests, and to keep the hackers from learning more about the security flaw. The author of this article is like every other journalist, they don’t think about the pro’s and con’s. I have been in the IT industry for 10 years and I see it every day.

  18. » Google Base Security Flaws  InsideGoogle » part of the Blog News Channel Says:

    […] According to Jim Ley, simple and obvious security flaws in Google Base, because it is hosted on the same domain as Gmail, allow an attacker access to Gmail emails, as well as the ability to perform phishing attacks. He argues that Google should hold all betas, which are more likely to be insecure, on a seperate domain from google.com (like googleplus.com, which Google owns). Google Base is beta, so bugs are perhaps to be expected, but I canít understand why Google donít have at least some security testing, would the publicity of a breach not be a PR disaster for them? Like I said last week, host the Beta on a seperate domain. […]

  19. Anonymous Says:

    As I understand it, each subdomain has a seperate cookie, and so compromising base.google.com’s cookies will not allow one to access mail.google.com. In other words, while it appears there was a security hole with google base for a short while, the extent of the damage to a user would have been limited to just their google base account contents.

  20. Programaciůn e Internet » Blog » Posible grave vulnerabilidad en ‘Google Base’ Says:

    […] Segķn asegura Jim Ley en este post de su blog, el recientemente presentado servicio ‘Google Base’ pudo estar expuesto durante varias horas a una grave vulnerabilidad que habrŪa permitido acceder a cualquier cuenta de Gmail. […]

  21. Jim Ley Says:

    Anonymous, it’s not cookie stealing that’s the issue, it’s simple cross domain scripting, many google pages have document.domain set to google.com, this means regular cross domain calls can be made between frames hosting *.google.com sites, so once you get onto any .google.com, you can get anywhere else, certainly the person would need to be logged in to their gmail account or similar, but then google single sign-on ensures that for us anyway.

  22. VOR Says:

    What makes you whiners so sure you were the first person to break any purported vulnerability? What if Google, Yahoo or MS secretly gave $$ to the first third-party who told them and didn’t acknowledge subsequent bandwagon attempts to publicize a vulnerability? Plus with publicity hungry friends like you calling folks “incompetent programmer” and the such, I’d be hard pressed to thank you for anything. Especially knowing that doing so would only prolong the spotlight of the problem (don’t say a major company thanking you wouldn’t make at least 2 more of your jibberings…) This way the problem once fixed quickly dies a silent death.

  23. Anonymous Says:

    sad, bitter and twisted

  24. Matt Says:

    You have to understand that you can look over something a hundred times and still miss a security glitch. It’s not like they don’t care, if they knew about it before hand it would had been fixed before its release. But sometimes they miss things and it’s people like you that find these holes that make it better by reporting them instead of using it to your own devious advantages.

    God, go start your own search giant and see how well you do.

  25. Jim Ley Says:

    Matt, this was a very, very trivial error, it’s an error that a developer never should have made, but if they did automated testing probably should’ve picked up, let alone developing by a tester with no experience, as it’s not even simply a security failure, the site doesn’t work with any test data containing an < that is trivial to detect by a developer, let alone a tester who has any ability to actually test.

  26. kerosine Says:

    Matt?
    Is the comment writen by Matt Wright from the software Archieve http://www.scriptarchive.com?
    Most if not all scripts publishe there are buggy.

  27. iBlog » Blog Archive » Bugs, eh? Says:

    […] Read the reports here, here, and here. […]

  28. Chris Weston Says:

    Can’t see the issue with what Jim has posted here. He saw a (obvious) flaw, reported it and it was fixed. He writes in his blog about it and criticises the use of live domains for beta software, a useful warning to those of us that rely perhaps a little too heavily on Gmail. He made the point that the saving that Google make in not testing properly could be spent in a very small part in replying to error reports.

    All seems very reasonable to me. Brownie points to Jim for doing the Right Thing and reporting it to Google rather than just blogging about it first.

  29. xxx Says:

    new google desktop(stool pigeon)

  30. Kylie Manders Says:

    I do not trust Google one bit, they are an evil corporation

Leave a Reply