Google Blogoscoped

Friday, January 12, 2007

Google Security Hole Allows Account Hijacking

It’s your worst nightmare – someone reads parts of your Google emails, views your docs, modifies your spreadsheets, checks out your reading habits on the Google personalized homepage or Google Reader, and goes through your search history. Yet, by making use of a new Google security hole, Tony Ruscoe was able to do all that with my Google account.

Tony’s not a malicious hacker of course (in fact, the first thing he did was inform Google Security!), but he found a loophole in a new feature Google rolled out recently. Using a proof of concept script targeting this loophole – which I can detail once it’s fixed –, all Tony needed to do was make a user who’s logged into their Google Account visit a page of his, which happened to be on a “trustworthy” google.com sub-domain. I visited Tony’s page, which sent my Google cookies to Tony, which in turn enabled him to:

This is by far not the end of services Tony was able to see in our brief tests. What he specifically was not able to do was to read my full emails, check my Calendar events, or change my Google Account password (which would’ve given him full access to anything, basically).

Now, the vulnerability in question is a very special kind, and Tony, by “claiming” this loophole, also blocked it for other abusers. This means that for the sake of this case, even though Google didn’t yet fix the hole, there is nothing to worry about (except that someone might find more holes in the vicinity of this bug). However, I am posting on this because it’s a worthwhile reminder that no company’s security is ever completely cracker-proof; in very rare circumstances, whatever you saved in Google, or entered in Google, can escape your control and land in the wrong hands. Or, as Tony phrased it on his proof of concept page, “Think yourself lucky that I wasn’t that evil!”

[Thanks Tony!]

Update: The flaw was fixed by Google now, so Tony posted a more detailed explanation of the vulnerability.

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!