Yikes!!

It seems to be fixed now. They've taken down my proof of concept page anyway. I think it took them around 3 hours 30 minutes or so from me emailing them... which isn't a bad response time really. Whether the problem is truly fixed remains to be seen. I've had no response from them yet though...

This is one of the reasons why Google should have a ticket at the top of the pages (Gmail and others services) displaying where and when the lasts logins happened... much like AdSense accounts..

Reminds me of the time I was able to hijack Google Pages accounts with a simple URL change: http://hownow.brownpau.com/archives/2006/02/google_pages/

My bank employs a scheme which limits which computers I can access my account from. Logging in from a different computer than usual requires a lot more work than just a simple password. Don't know if that would prevent cookie hijacking like this being useful or not. Not my area.

Also, perhaps Google should think about going down the keychain route that PayPal are headed. I'd certainly consider it.

Until security hole is fixed i suggest to:

* Clear chache after a Google session.
* Or use two different browsers, one for Google, and another one for normal navigation.

Tony is a Don't Be Evil Hacker :-) lol

I've never understood why any site login (google or otherwise) doesn't check that the session info is from the same IP address – in other words, a session should not be portable to another IP address. If the IP address changes, flush the session and require a new login.

Why not do this?

Michael Curry,

Perhaps because a DHCP-assigned address could change, which would invalidate that check?

But Bob, how often does your DHCP address change while you are viewing a page?

I'd never trust Google with any of my personal info!

That's a good point, thanks.

The value of such centralized data storage is so great that I think it's only a matter of time until Google administrators are targeted for blackmail by criminal gangs... the ability to hack into the personal records of large numbers of people is a valuable one, whether this access is enabled by technical hackery or by social hackery.

Once the dust settles, it would be verryyy interesting to hear the details on how this one done – when you say that Tony "claimed" the hole makes be curious about this.

So Tony, why haven't you been hired again? ;-)

Will this security hole still apply if I have noscript extension activated ?

How many more of these security flaws does there need to be, until we start making Microsoft comparisons?

Granted, the nice thing about Google is that there is a central patch point; patches are immediately applied to all users of the system. The not-so-nice thing is that a single flaw exposes all users equally and continuously. At least when my email and documents and spreadsheets are stored on my home computer, most hackers can't really get at them when my computer is shut off.

nice find, just you like google, and you look for his lack.

FYI – I got this reply from the Google Security Team last night:

<< Thank you for reporting this issue to us. We take the security of our users and their information very seriously. We wanted to let you know that we addressed this problem with expediency and have taken steps to ensure it cannot occur again. >>

OK. Now we want the (juicy) details.

yeah eager to know them

Tony... Thanks for saving the day... i mean our privacy!

You Rock!

`Cmon give me Proof of Conept Script another call back function in json object

The URL is XXXX. It was in my dream last night but I can't remember it now. Déjà vu?

I don't know if this is how my account was hacked but on Christmas someone got into my account and used my Google Checkout credit card to charge up $505.00 worth of domain names. Then they promptly deleted my account, I'm guessing to hide evidence or just to be an a$$ hole. So for more then a week I had no access to my account and all my email, contacts, and calender... were gone.

Luckily about a week ago Google was able to recreate my account and restore most of my data. I am still trying to discover how I was hacked but this article might be the answer.

Anyways it is pretty scarry how much trouble someone can cause if they have access to your Google account, espesially if you use Google's services as much as I do.

I tested it with Google Adwords, Adsense, Analytics and guess what the most famous hole works on Google CheckOut.

Guys, Google should open their OO eyes

I suppose part of the solution would be to use split credentials. Have a logon.google.com domain with your master session cookie ties to it – SSL only. Have another *.google.com cookie, unsecure, which identifies your account (so eg regular web search can store your personalized search) but does not grant access to any personal data.

When you visit some other google property – say, gmail, it would bounce you to https://login.google.com/someInternalPage, which would redirect back to a reception page on the http://mail.google.com domain, with a new session ID tied to that particular service. This way, a security hole in, say, google base, only gives access to google base data.

bd_ : They do actually do this to some extent but I was really surprised how much access the standard unsecure google.com cookie gave me.

"This is one of the reasons why Google should have a ticket at the top of the pages (Gmail and others services) displaying where and when the lasts logins happened... much like AdSense accounts.." Googlaxy

What a great idea!!!

Update: The flaw was fixed by Google now, so Tony posted a more detailed explanation of the vulnerability.
http://blogoscoped.com/archive/2007-01-14-n21.html

Google seems pretty fast at addressing security issues so far, however it also seems that the frequency of security holes has been increasing as of late. The truth is, no matter how much attention they put into it, people are bound to find one loophole or another in a line of code that enables malicious users to abuse somebody else's data. This is why I am advocating additional layers of security wherever needed. Here's a specific and illustrated example for the case of Google Docs and Spreadsheets: http://lepetitradiateur.blogspot.com/2007/01/suggestion-increased-security-in.html

This is a solution similar to what Google implemented to secure their Search History feature, and it seems to me it would help protect the privacy of our data.