Tony’s not a malicious hacker of course (in fact, the first thing he did was inform Google Security!), but he found a loophole in a new feature Google rolled out recently. Using a proof of concept script targeting this loophole – which I can detail once it’s fixed –, all Tony needed to do was make a user who’s logged into their Google Account visit a page of his, which happened to be on a “trustworthy” google.com sub-domain. I visited Tony’s page, which sent my Google cookies to Tony, which in turn enabled him to:
This is by far not the end of services Tony was able to see in our brief tests. What he specifically was not able to do was to read my full emails, check my Calendar events, or change my Google Account password (which would’ve given him full access to anything, basically).
Now, the vulnerability in question is a very special kind, and Tony, by “claiming” this loophole, also blocked it for other abusers. This means that for the sake of this case, even though Google didn’t yet fix the hole, there is nothing to worry about (except that someone might find more holes in the vicinity of this bug). However, I am posting on this because it’s a worthwhile reminder that no company’s security is ever completely cracker-proof; in very rare circumstances, whatever you saved in Google, or entered in Google, can escape your control and land in the wrong hands. Or, as Tony phrased it on his proof of concept page, “Think yourself lucky that I wasn’t that evil!”
Update: The flaw was fixed by Google now, so Tony posted a more detailed explanation of the vulnerability.
>> More posts