Google Blogoscoped

Forum

Details of Google's Latest Security Hole  (View post)

Art-One [PersonRank 10]

Sunday, January 14, 2007
12 years ago7,416 views

Tony, congrats with your research on the Security Hole. Also thanks for mentioning my initial reporting. I did see the security problem, but I didn't have time to research it more in depth and I'm sure I don't have the knowledge you have to make the whole setup... Thanks again!

One other question, I did report this bug to Google via the blogger support pages. Until today I didn't receive a reply from them. You've reported the bug and they both replied to you and solved the problem in a little more than 3 hours. If -ever- I find an other security hole, what is the fastest way for me to report this to Google?

Jyaif [PersonRank 1]

12 years ago #

I think it's worth mentioning that after changing your password, you should also check if your emails are not automatically forwarded to an other email address.

TOMHTML [PersonRank 10]

12 years ago #

Thanks for the explaination Tony!

Ionut Alex. Chitu [PersonRank 10]

12 years ago #

Lovely story, Tony. You should write more.

Haochi [PersonRank 10]

12 years ago #

<<If -ever- I find an other security hole, what is the fastest way for me to report this to Google?>>
Fax to your nearby Google office. :)
google.com/corporate/address.h ...

Kylie Manders [PersonRank 1]

12 years ago #

I do not trust Google with any of my pesonal information. They are an evil company

Tony Ruscoe [PersonRank 10]

12 years ago #

Art-One said:

<< If -ever- I find an other security hole, what is the fastest way for me to report this to Google? >>

I just emailed: security[put at-character here]google.com

Jyaif said:

<< I think it's worth mentioning that after changing your password, you should also check if your emails are not automatically forwarded to an other email address. >>

Good suggestion. However, in this case I couldn't access Gmail using just the google.com cookie so I wouldn't have been able to change any settings like this.

Ran [PersonRank 1]

12 years ago #

I never liked the way Google handled login/cookies. You could also be signed in through 2 different computers, logout on one computer, but the remaining computer would remain signed in. So let's say you forgot to logout at a computer, you would have no way of getting that computer to logout unless you physically accessed it again, even if you sign in and sign out at a different computer. Add this with the long (and unconfigurable) expire time for login, and you have a problem for forgetful people.

I suppose they did it in the interest of convenience but I would rather have my security. I see people moan about Yahoo expiring all the time (even though it IS configurable) and requiring login again, so I guess there aren't many people who prefer it that way.

Art-One [PersonRank 10]

12 years ago #

Tony: thx, I'll keep that in mind...

Elias Kai [PersonRank 10]

12 years ago #

I think Adwords Adsense and Google CheckOut has the same problem.

alek [PersonRank 10]

12 years ago #

Great detailed writeup Tony and handled very professionally – so when is the big "G" going to make you a job offer?!? ;-)

Jyaif [PersonRank 1]

12 years ago #

They don't need to, he already works for them for free!

justinf [PersonRank 10]

12 years ago #


congrats – you've made it to the front page of digg.

Weber Ress [PersonRank 0]

12 years ago #

Portugue Translation of this article – weberress.com/2007/01/vulnerab ...

Niraj Sanghvi [PersonRank 10]

12 years ago #

Haochi, have you found yet another exploit? :

blogs.zdnet.com/Google/?p=451

Tony Ruscoe [PersonRank 10]

12 years ago #

I think the one Haochi's found is the same as this one from November 2005: jibbering.com/blog/?p=189

It was apparently fixed, so maybe it's just been re-introduced.

[Via blogoscoped.com/archive/2005-1 ... although the permalink is wrong.]

Ionut Alex. Chitu [PersonRank 10]

12 years ago #

the Base XSS:
digg.com/security/Details_of_G ...

Peter Gloor [PersonRank 0]

12 years ago #

Why it took so long? I personally reported the issue to Google quite a long time ago, but had not the feeling they take it for serious. Sure I couldn't exactly explain what happens but from a company like Goggle I would expect they look at these things with first priority.

Peter

;Op [PersonRank 0]

12 years ago #

I'm surprised of the "fix" that has been applied: it only protects Google apps (mail, etc), but not other web sites which use "reusable" cookies to handle their sessions. So Blogger introduces a security hole to many web servers, and this has not been fixed! Am i missing something?

Tony Ruscoe [PersonRank 10]

12 years ago #

>> Am i missing something?

Yes. The only reason this security hole worked was because I could host a blog on Google's domain. If you enter another website's domain in the "Custom Domain" field, it will simply redirect to that website – unless the owner of the domain is pointing it to ghs.google.com and *not* using it themselves (which is very unlikely) – meaning you would therefore be unable to steal the cookies of anyone using their website.

David Gonzalez [PersonRank 0]

12 years ago #

Hi there!

I am just facing something and wondering if it has to do with the same issue. Here is the story:
I have two blogs: nomadtest.blogspot.com, and blognomadland.blogspot.com

and one domain name: www.davidg.es
By error, I switched to nomadtest.blogspot.com to custom domain www.davidg.es. In fact I wanted to swicth the other.

When I realised I went back immediately, reversing nomadtest to blogger publishing, then switched blognomadland to www.davidg.es. Surprise, error message saying "this domain is being used by another blog".

So I deleted nomadtest (the whole blog) and I tried again. Still same error. Seems like a blogger caching error, any idea? Now I can not publish my blog on my own domain.... :-((

thanks!

Tony Ruscoe [PersonRank 10]

12 years ago #

David Gonzalez: Here's your answer...

labnol.blogspot.com/2007/01/bl ...

<< While you can do nothing about it, the issue can be resolved by writing to the Blogger Support as it requires manual intervention.

The page to contact Blogger support is blogger.com/problem.g

You can also post a copy of your support request on the Blogger Group from where the Google support team represented by Blogger Buzz and Blogger Employee can pick it up. >>

Gopal Aggarwal [PersonRank 0]

12 years ago #

Keep up the efforts man!

This thread is locked as it's old... but you can create a new thread in the forum. 

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!