Tuesday, September 18, 2007

Google Privacy Problems Introduced Through Presentations

Google’s Presentation tool is just freshly released but already introduced a first privacy vulnerability for Google Accounts... independent of whether or not you look at a presentation. Using a straightforward hack discovered by TomHTML (which I can detail once Google security got some time to tackle the message they got from us, if they consider it a problem indeed), you can use Google’s Presentations service to grab the name/ Gmail email address of people visiting your website... without them confirming that they want to share their name/ email with you, or share the fact they’re visiting your site! Note this only works when the visitor is also signed in to their Google Account, but other than that requires no special programming capabilities (it may or may not work in every context/ with every browser).

I mentioned it before: because of the single-sign-on Google Account framework, every individual Google product has the power to introduce security or privacy vulnerability issues in other, unrelated Google products, or with the Google account in general. This current case is relatively harmless as it’s “only” a privacy issue and not a security issue, but it’s another example of the problem field. Whenever Google releases something on google.com, we must be aware that it doesn’t matter if it’s considered an Experimental, Labs, Alpha or Beta product by the engineers who created it... it’s still able to tamper with the almighty Google cookie.

[Thanks TomHTML and Tony!]

Update: Google informed me that they fixed the bug now. My tests show this seems to be the case indeed – I can’t reproduce the privacy vulnerability anymore. [Thanks Sam!]

Update 2: TomHTML in the comments says the privacy vulnerability, albeit in another form, is still there. [Thanks TomHTML!]

Google Privacy Problems I ... by Philipp Lenssen | Comments (16)

>> More posts

Advertisement