Google Blogoscoped

Thursday, August 30, 2007

Your Google Mashups Code Is Public

Have you created projects with the Google Mashup Editor? Did you know they’re all public for the world to see, even before you hit publish? Well, perhaps it’s in some footnote, but I was surprised by this, and so were others.

I reproduced this a while ago by opening the Google Mashup Editor. I created a file with little more content but the word “Secret?”. I then saved the file under the name “secrettest123” and tested it, it compiled OK.

The project immediately appeared under the public Google Code page From there, you can click the project, hit the “Source” tab, and go to the subversion repository. Click on trunk -> index.gml and you can see the source text, “Secret?”.

“You can try out your application whenever you want by clicking Test. Once you’re satisfied that it’s ready to go, you can use the File > Publish Project menu item to deploy your application on Google’s servers,” Google writes. But I never hit “Publish Project”.

I sent this to Google security almost two weeks ago but didn’t receive a (human) reply, and the behavior persists... might be a feature, not a bug.

[Thanks TomHTML!]

Update: Just to clarify, as this can be misunderstood: the issue is not that the code of published mashups is public. The issue is that the code of unpublished mashups is public.


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!