Google Blogoscoped

Forum

Google Security Hole Allows Account Hijacking  (View post)

Kirby Witmer [PersonRank 10]

Friday, January 12, 2007
11 years ago8,319 views

Yikes!!

Tony Ruscoe [PersonRank 10]

11 years ago #

It seems to be fixed now. They've taken down my proof of concept page anyway. I think it took them around 3 hours 30 minutes or so from me emailing them... which isn't a bad response time really. Whether the problem is truly fixed remains to be seen. I've had no response from them yet though...

Googlaxy [PersonRank 1]

11 years ago #

This is one of the reasons why Google should have a ticket at the top of the pages (Gmail and others services) displaying where and when the lasts logins happened... much like AdSense accounts..

Paulo [PersonRank 0]

11 years ago #

Reminds me of the time I was able to hijack Google Pages accounts with a simple URL change: hownow.brownpau.com/archives/2 ...

Gareth [PersonRank 1]

11 years ago #

My bank employs a scheme which limits which computers I can access my account from. Logging in from a different computer than usual requires a lot more work than just a simple password. Don't know if that would prevent cookie hijacking like this being useful or not. Not my area.

Also, perhaps Google should think about going down the keychain route that PayPal are headed. I'd certainly consider it.

Luca Guidi [PersonRank 0]

11 years ago #

Until security hole is fixed i suggest to:

* Clear chache after a Google session.
* Or use two different browsers, one for Google, and another one for normal navigation.

Sankar Anand [PersonRank 10]

11 years ago #

Tony is a Don't Be Evil Hacker :-) lol

Michael Curry [PersonRank 0]

11 years ago #

I've never understood why any site login (google or otherwise) doesn't check that the session info is from the same IP address – in other words, a session should not be portable to another IP address. If the IP address changes, flush the session and require a new login.

Why not do this?

Bob [PersonRank 0]

11 years ago #

Michael Curry,

Perhaps because a DHCP-assigned address could change, which would invalidate that check?

Dylan Bennett [PersonRank 1]

11 years ago #

But Bob, how often does your DHCP address change while you are viewing a page?

Kylie Manders [PersonRank 1]

11 years ago #

I'd never trust Google with any of my personal info!

John Dowdell [PersonRank 1]

11 years ago #

That's a good point, thanks.

The value of such centralized data storage is so great that I think it's only a matter of time until Google administrators are targeted for blackmail by criminal gangs... the ability to hack into the personal records of large numbers of people is a valuable one, whether this access is enabled by technical hackery or by social hackery.

alek [PersonRank 10]

11 years ago #

Once the dust settles, it would be verryyy interesting to hear the details on how this one done – when you say that Tony "claimed" the hole makes be curious about this.

John Welch [PersonRank 3]

11 years ago #

So Tony, why haven't you been hired again? ;-)

Curious [PersonRank 1]

11 years ago #

Will this security hole still apply if I have noscript extension activated ?

Tim [PersonRank 0]

11 years ago #

How many more of these security flaws does there need to be, until we start making Microsoft comparisons?

Granted, the nice thing about Google is that there is a central patch point; patches are immediately applied to all users of the system. The not-so-nice thing is that a single flaw exposes all users equally and continuously. At least when my email and documents and spreadsheets are stored on my home computer, most hackers can't really get at them when my computer is shut off.

wkcow [PersonRank 1]

11 years ago #

nice find, just you like google, and you look for his lack.

Tony Ruscoe [PersonRank 10]

11 years ago #

FYI – I got this reply from the Google Security Team last night:

<< Thank you for reporting this issue to us. We take the security of our users and their information very seriously. We wanted to let you know that we addressed this problem with expediency and have taken steps to ensure it cannot occur again. >>

Ionut Alex. Chitu [PersonRank 10]

11 years ago #

OK. Now we want the (juicy) details.

Sankar Anand [PersonRank 10]

11 years ago #

yeah eager to know them

Inferno [PersonRank 10]

11 years ago #

Tony... Thanks for saving the day... i mean our privacy!

You Rock!

Suresh S [PersonRank 10]

11 years ago #

`Cmon give me Proof of Conept Script another call back function in json object

Haochi [PersonRank 10]

11 years ago #

The URL is XXXX. It was in my dream last night but I can't remember it now. Déjà vu?

Jeff W [PersonRank 0]

11 years ago #

I don't know if this is how my account was hacked but on Christmas someone got into my account and used my Google Checkout credit card to charge up $505.00 worth of domain names. Then they promptly deleted my account, I'm guessing to hide evidence or just to be an a$$ hole. So for more then a week I had no access to my account and all my email, contacts, and calender... were gone.

Luckily about a week ago Google was able to recreate my account and restore most of my data. I am still trying to discover how I was hacked but this article might be the answer.

Anyways it is pretty scarry how much trouble someone can cause if they have access to your Google account, espesially if you use Google's services as much as I do.

Elias Kai [PersonRank 10]

11 years ago #

I tested it with Google Adwords, Adsense, Analytics and guess what the most famous hole works on Google CheckOut.

Guys, Google should open their OO eyes

bd_ [PersonRank 1]

11 years ago #

I suppose part of the solution would be to use split credentials. Have a logon.google.com domain with your master session cookie ties to it – SSL only. Have another *.google.com cookie, unsecure, which identifies your account (so eg regular web search can store your personalized search) but does not grant access to any personal data.

When you visit some other google property – say, gmail, it would bounce you to login.google.com/someInternalP ... which would redirect back to a reception page on the mail.google.com domain, with a new session ID tied to that particular service. This way, a security hole in, say, google base, only gives access to google base data.

Tony Ruscoe [PersonRank 10]

11 years ago #

bd_ : They do actually do this to some extent but I was really surprised how much access the standard unsecure google.com cookie gave me.

ml [PersonRank 1]

11 years ago #

"This is one of the reasons why Google should have a ticket at the top of the pages (Gmail and others services) displaying where and when the lasts logins happened... much like AdSense accounts.." Googlaxy

What a great idea!!!

Philipp Lenssen [PersonRank 10]

11 years ago #

Update: The flaw was fixed by Google now, so Tony posted a more detailed explanation of the vulnerability.
blogoscoped.com/archive/2007-0 ...

Hugues de Saint Salvy [PersonRank 1]

11 years ago #

Google seems pretty fast at addressing security issues so far, however it also seems that the frequency of security holes has been increasing as of late. The truth is, no matter how much attention they put into it, people are bound to find one loophole or another in a line of code that enables malicious users to abuse somebody else's data. This is why I am advocating additional layers of security wherever needed. Here's a specific and illustrated example for the case of Google Docs and Spreadsheets: lepetitradiateur.blogspot.com/ ...

This is a solution similar to what Google implemented to secure their Search History feature, and it seems to me it would help protect the privacy of our data.

This thread is locked as it's old... but you can create a new thread in the forum. 

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!