Google Base arrived recently, sharing the same domain as gmail, so cross site security holes in Google Base will allow access to all the gmail emails, as well as XSS phishing attacks using the google brand. Of course as you would expect for a new product from a major internet company, there’d obviously been no security testing whatsover and there were trivially obvious XSS holes in it.
Like the yahoo programmer last week, the incompetent google base programmer had simply taken a parameter from the querystring, and written it unencoded into the document. So a query http://base.google.com/base/search?a_n427=<script>alert(1)</script>&a_y427=0&a_s427=0&a_r=2 performed the alert, this was fixed about 5 hours after I reported it, showing again that google don’t care about the security of our data enough to not release clearly insecure software.
Like last year googles response to the email report was nothing, there wasn’t even an autoresponder on email@example.com, so other than by watching for it to be fixed did I learn that it was at all. Like the gmail security flaw google appear to have a complete silence approach to security, I guess they think what the public don’t know can’t worry them. I can’t understand the motivations behind not acknowledging and thanking a reporter of a security flaw, the alternative for the people who find these flaws are to get rich abusing them, or publicising them allowing other people to get rich abusing them. Surely “thanks for your bug report, we fixed it” email is a small price to pay for not having to hire your own QA team?
Google Base is beta, so bugs are perhaps to be expected, but I can’t understand why Google don’t have at least some security testing, would the publicity of a breach not be a PR disaster for them? Like I said last week, host the Beta on a seperate domain.