Google Blogoscoped

Forum

Another Google Hole Uncovered  (View post)

Brian Mingus [PersonRank 10]

Tuesday, January 16, 2007
13 years ago6,327 views

I don't understand the usefulness of touting the existence of a security flaw and not providing the details.

Mysterius [PersonRank 10]

13 years ago #

Philipp is just letting you know that a security vulnerability is on the loose right now, so you can be extra cautious about visiting unknown URLs. He also suggested some steps you can take near the end of his post.

Revealing more might tip off malicious hackers to the vulnerability. I'm sure we'll find out more when he's sure Google has fixed the vulnerability.

elyk [PersonRank 6]

13 years ago #

Because the fact that it's existence is known encourages google to fix it rapidly. This post also serves to warn people of the issue so that they can take counter-measures until it gets fixed.

asdf [PersonRank 1]

13 years ago #

I'm just the opposite of the first comment.

I think 7 hours notice is a bit extreme don't you?

I mean we all know MS and some of the others wouldn't fix anything at all if some of the exploits were not made public.

But Google has been very responsive, and these hints makes it far more likely that a bad guy will use the exploit to infect your machine steal your e-mail etc. and 7 hours is hardly enough time for most of these things to even be reproduced accurately, let alone fixed.

/pd [PersonRank 10]

13 years ago #

"the usefulness of touting the existence of a security flaw and not providing the details."

details are not required. its about being knowing and sharing. Philipp and Tony have done the right thing. The protocals on disclosure is in alignment. The details are trival and can always be disputed..but this does not turn the knob away from risk!

Sankar Anand [PersonRank 10]

13 years ago #

yeah Google is serious about the Security the issues. And it should be!

Philipp Lenssen [PersonRank 10]

13 years ago #

> But Google has been very responsive, and these hints
> makes it far more likely that a bad guy will use the
> exploit to infect your machine steal your e-mail etc.
> and 7 hours is hardly enough time for most of these
> things to even be reproduced accurately, let alone fixed.

Asdf, the 7 hours are not by any means enough time for Google to fix this. And that's exactly why I'm not reporting any details that will help a cracker to abuse Google users. I did mention the general workings of an HTML injection, cross-site scripting, and browser cookies, but as any web developer can tell you, none of these are the core of the problem at hand, nor by any means a secret. You will find more on this on Wikipedia and hundreds of thousands of other sites:

en.wikipedia.org/wiki/Code_inj ...
en.wikipedia.org/wiki/Cross_si ...
en.wikipedia.org/wiki/HTTP_coo ...

Brian Mingus [PersonRank 10]

13 years ago #

The knowledge that something is possible often fuels innovation. The hundreds of thousands of spam bots out there are clear evidence that people are scouring the web looking for vulnerabilities. Telling them that an unpatched vulnerability exists on Google's servers is only going to make them look harder, and probably find new flaws that you weren't aware of.

I seriously doubt this strategy of security through obscurity works. Nobody is more secure because you didn't release the details. If you really want to help Google, I'd suggest not publishing until after they fix the problem.

Brian Mingus [PersonRank 10]

13 years ago #

Maybe i can say that more clearly: All you have done is create an arms race between Google and the bad guys who would exploit such a security hole. Can they fix it before they can exploit it?

This benefits no one.

/pd [PersonRank 10]

13 years ago #

Brain, are you suggesting that ethical full disclosure was not adhered too on this round and that google was not aware of such vulnerabilities prior to this blog post ??

Philipp Lenssen [PersonRank 10]

13 years ago #

> Nobody is more secure because you didn't
> release the details.

I strongly disagree. Releasing the details would have given a lot to work with if a cracker reads along. Right now, the cracker won't be able to work with anything from my article.

> All you have done is create an arms race between Google
> and the bad guys who would exploit such a security hole.

Believe me, with or without news reporting on HTML injections, the race is already on (and has been for a long time). Do you think crackers wait for news sites to tell them that Google has insecurities, and otherwise simply believe "it's safe, let's not bother looking for holes?" Unfortunately, that's just not the case. HTML injections and cross-site scripting are a potential problem for *every* web application, and that certainly includes Google – don't underestimate hackers, they know this perfectly well without me telling them.

Brian Mingus [PersonRank 10]

13 years ago #

But that's a contradiction. You aren't including the details because it would expose them to the hackers, but it doesn't matter that your not exposing the details because "they know this perfectly well" without you telling them.

/pd [PersonRank 10]

13 years ago #

"The flaw was fixed by Google now" ??

How is this been ascertained that the cracker hole is blocked out ?? Any comments from the Google Sec Team ??

Ionut Alex. Chitu [PersonRank 10]

13 years ago #

Google really needs to hire some security experts to check all their products and services. This is getting ridiculous.

Ionut Alex. Chitu [PersonRank 10]

13 years ago #

Some more stuff here:
digg.com/tech_news/Third_Googl ...

Ionut Alex. Chitu [PersonRank 10]

13 years ago #

The Base XSS has been fixed.

Link for posterity:
base.google.com/base/s2?a_n0=% ...)%3C/script%3E&a_y0=9&hl=en&gl=US

Sankar Anand [PersonRank 10]

13 years ago #

Google should send some gifts for people who report biggest exploit.

So that they would be encouraged to find even more flaws and make Google products more secure than before.

Does google think people don't have any other work other then finding security bugs in Google products ?

When people find some biggest flaws what they get in return is just a mail from support team saying

"Thanks for reporting the issue" Who needs thanks errrrrrrrrrr!

Philipp Lenssen [PersonRank 10]

13 years ago #

> But that's a contradiction. You aren't including the
> details because it would expose them to the
> hackers, but it doesn't matter that your not
> exposing the details because "they know this perfectly well"
> without you telling them.

No Brian – please see above [Up] blogoscoped.com/forum/82927.ht ... (I only mentioned the publicly known stuff about XSS from security 101, but did not mention the specifics of this bug that a cracker could work with)

And yes, the bug has been fixed now... I updated the post.

Elias Kai [PersonRank 10]

13 years ago #

I told you...

Andrew Hitchcock [PersonRank 10]

13 years ago #

Wow, you guys are great at finding all these security holes. You are keeping Google on their toes :).

Brian Mingus [PersonRank 10]

13 years ago #

it.slashdot.org/article.pl?sid ...

/pd [PersonRank 10]

13 years ago #

the /. article states "I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: "There is no way to report a vulnerability safely."'"

Noteworthy HD Moore is part of the SecCon for Goog's..

I wonder when the whitehatters will begin to create pipelines where the generic users for production sites have to fear of reporting holes!!!!

Tony Ruscoe [PersonRank 10]

13 years ago #

Brian, that's an interesting discussion. It pretty comical how people are likening the discovery of web vulnerabilities to breaking into someone's house!

Brian Mingus [PersonRank 10]

13 years ago #

I think the article is a bit sensationalist. Their are well defined grammars for all web languages. That means that when you read a public website's source code, all you are really doing to understand it is applying the rules of the language. IANAL, but I see nothing illegal in this. It is illegal if you discover and proceed to exploit a vulnerability with malicious intent, and it might well be illegal to report that a vulnerability exists and /could/ be used with malicious intent. It's like aiding and abetting.

I could also argue that it is simply the public dissemination of facts. But some facts are obvious, and some aren't. You have to be somewhat of an expert in order to discover these flaws, and your knowledge may be the exactly the proof someone needs. It's all fairly untested, so I'm not the one to say.

I now understand that this post in particular was not the original report of the flaw, and to me that's fine. But I'm against publicly exposing the details of flaws, even if it is in tandem with the report to the content provider. And I think it's probably illegal, but I don't have any evidence to point to, so you can disagree with me on that.

/pd [PersonRank 10]

13 years ago #

btw-- the experts (normally) follow thru with ethical disclosure methods. They are known in the circle. Vendors pay them for the xpliot.

WhereAs, Tony (for example) discovered a flaw with the cookies (not becuase its his job) rather it was intriguing and he diggs and discovers a major issue. How will this be reported ?? He writes to google[put at-character here]security.com and then no reply and then what happens. He does the next best thing possible he goes public and blogs about it. Now that goes against the grain of your thought.. "I'm against publicly exposing the details of flaws," However, the details are publically placed because the user feels its safer if everyone knows and its in public.space, then the burden of security rests with the vendor...

BTW the protocol is simple
1) ZeroDay contact the vendor
2) Wait 15 days and recontact the vendor
3) Wait 30 days and then go FD mode..

..yeah and blackhatters take the other route and pimp the flaw for anything like $25K to 250K!!

sp [PersonRank 1]

13 years ago #

it is fixd now!!!!!!!!!!

Philipp Lenssen [PersonRank 10]

13 years ago #

The "unwritten" rules for journalists with news media go something like this, also depending on which news house we're talking about. Now, a blogger is not a "real" traditional journalist, of course, but it can't hurt to compare notes, and I talked to a journalist of Germany's biggest IT news site to compare notes during the last couple of days:

1. The news itself must be reported if it's newsworthy, out of obligation to the reader (the main obligation a news magazine has)
2 a) Additionally, a full disclosure can be delivered if the full disclosure is *already public* in other news sources, and a link to a full proof of concept demonstration may be shown while the exploit is unfixed.
2 b) If the exploit is unfixed and *exclusive* to the media house in question, it will however not be fully disclosed.
3. As a matter of good journalistic style, though not strictly journalistic obligation, the vendor will be contacted with information on the exploit.
4. If the exploit is fixed, a follow-up with more information (e.g. full disclosure) follows.

Tony and I look to conform to these before going live with such postings. I am actually somewhat divided about 2 a, and often handle it differently (that is, not linking to full exploits while they're unfixed, even when they're public), but I guess it also depends on *how* public the exploit became.
(There are some more considerations than above, of course, including how likely it is that releasing details will help users to defend against the exploit, and how important the exploit is.)

I believe what makes this a rather new situation is that people like Tony are very much "virtual journalists." Tony doesn't physically go out to photograph the Googleplex, he actually conducts virtual research: he's reporting on something virtual (Google's services) in a virtual setting (the web). And in-depth virtual research is almost indistinguishable from whitehat hacking. (I believe this whitehat hacking, if you want to call it that, is however clearly distinguishable from blackhat "cracking", which Tony never does.)

The vendor, of course, should also have a protocol, maybe something like this:
1. Provide a security contact option.
2. Get back timely to people telling them the information has been received.
3. Get back to them again once the exploit has been fixed.

In the past I often heard people say that Google doesn't commit to this protocol, leaving them in the dark about whether the reports had been received and/ or fixed. But I think Google improved their communication.

This thread is locked as it's old... but you can create a new thread in the forum. 

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!