Google Blogoscoped

Forum

Google Book Search Security Hole  (View post)

Roger Browne [PersonRank 10]

Saturday, February 18, 2006
18 years ago

I'm guessing this is like a session ID that will time out after a short while.

CoMagz Linkadelic Magazine [PersonRank 1]

18 years ago #


This is definately not a security hole.

Google is sharing books without copyrights.

They want all the users to use the same password to enter the service because it will make their court case cheaper when they'll claim the reader (s) is responsible for copyright violation, not Google.

http://www.comagz.com/webmagazine/

Splasho [PersonRank 10]

18 years ago #

Interesting... I did it twice and got different results for the auth (some characters were the same and some different) so I presume it does expire and does not actually contain your password

Zoolander [PersonRank 4]

18 years ago #

Philipp, It is highly ingenious of you to publish these security holes before they are fixed. A high-profile blogger like you don't need to get low like this.

Sincerely..

Philipp Lenssen [PersonRank 10]

18 years ago #

Zoolander, I think you misunderstand.

As I said in the post, from what I can see there is nothing you can do to *abuse* this information – the only thing you can do with this information is to not send out these URLs to your friends as a precaution. This Google bug is only a security problem in the sense that if you don't know what the "auth" parameter does, which I helped clarify with this post, you might post it somewhere where people could abuse it. There is an important distinction between preventing someone from falling into a security hole by offering information, which is what I did, and offering information that will allow one to abuse a security hole. For the latter, I would indeed have given Google time to fix it.

You wouldn't complain about someone releasing a patch either, would you. So in this case, the patch is simple: don't send out URLs with the "auth" parameter.

In any case, even if you do send out your URL with the "auth" parameter because you didn't read this post, this is a minor bug at worst – because the other person can't use your account. All that happens is that she will see your email address.

/pd [PersonRank 10]

18 years ago #

Philipp, were your using 2 different systems ?? for a send and a receive ? i.e the link that you opened in FF was on a another machine/PC ??

Philipp Lenssen [PersonRank 10]

18 years ago #

For Brian, who uncovered the bug, it was a different machine (different persons). For me, it was the same machine with different browsers.

Michael White [PersonRank 1]

18 years ago #

You're a bad, bad person, having 2 Google Accounts! ;)

/pd [PersonRank 10]

18 years ago #

Philipp, then the code is just pulling your static data from the HDD. I think your process is flawed.. using two different email accounts is ok , as its on the same machine...

Can Brian Confirm the same discovery pattern on different machines ?? then there is a serious bug .. I am seeing that I can uncover more info then needed (i.e on my own (different) account)

Philipp Lenssen [PersonRank 10]

18 years ago #

Pd, I logged in with Internet Explorer. I then deleted my Firefox cookies. I then opened the IE-URL in FF. I was then logged in with my Google account in FF. See how this must be a bug, and cannot be normal behavior, even on 1 machine? Or since when does Firefox take IE's cookies when it can't find it's own? And yes, Brian saw it on 2 different machines.

/pd [PersonRank 10]

18 years ago #

ok thks – philipp

Shawn [PersonRank 0]

18 years ago #

You violated Googles TOS by having one account going in two browser! I'm filling out a report and using this post as evidence. Prepare to be Googlesmacked.

Brian M. [PersonRank 10]

18 years ago #

I am in Colorado, my friend is in Italy, fwiw.

Philipp Lenssen [PersonRank 10]

18 years ago #

I clarified the post to explain what I did with the two browsers – my point was not that the security bug is about someone operating two accounts or anything. The point is that two different browsers should not know each others cookies!

alek [PersonRank 10]

18 years ago #

I disagree with some comments that it was inappropriate for Philipp to mention this loophole. First, it was already posted elsewhere. Second, it's not a HUGE hole as Philipp outlined ... although it should be fixed. Finally, it's good IMHO to have these brought forward – heck, remember how BMW.DE was spamming Google – few days after Philipp mentioned it, Google banned BMW ... and they cleaned up their act – all good stuff – my two cents.

/pd [PersonRank 10]

18 years ago #

Philipp is right – "The point is that two different browsers should not know each others cookies" – but the flaw here-- is when one machine is used by two different gmail accounts (two different people) with the same defaulted browser (either IE or FF)!!

Brian M. [PersonRank 10]

18 years ago #

> The point is that two different browsers should not know each others cookies!

Even moreso, Google should not attempt to uniquely identify you based on a URL generated when casually using their service. It is occasionally OK to generate such URLs, but usually only when you are sending the user a verification link or some such through an e-mail address that they initiated (so they know for sure who the person is).

So the scary thing here is that Google is not even checking against a cookie in the first place. Search for `site:google.com inurl:auth' and it's clear that the auth parameter has been used in their services for some time. It would appear that this is planned into the system. Google gives the uniquely identifying URL an expiry date, so it is only a "temporary" security risk. The user has to be involved in sharing the URL, and the damage that can be done once someone else is logged in as them is negligible to nill.

That aside, the approach is fundamentally flawed, if for no other reason than that I don't feel my data is safe when others are given the appearance of having the privilege of being me.

John [PersonRank 0]

18 years ago #

Good find! Hopefully google will get this addressed ASAP! Multiple users on one machine is not that unheard of ;) Internet cafes, workplace, etc., could cause issues in numerous ways.

Brian M. [PersonRank 10]

18 years ago #

It appears that Google has fixed this. I am now seeing a sig parameter instead of the auth parameter, and they now check for your cookie.

/pd [PersonRank 10]

18 years ago #

someone--somewhere is listening :)-

Thks for being on this Brian- it kinda slipped off my rader

Philipp Lenssen [PersonRank 10]

18 years ago #

I also sent of an email to Google before publishing this post. I didn't get a reply yet though...

/pd [PersonRank 10]

18 years ago #

Philipp, I stopped sending emails to google. Too much canned response.. its better to just id the bug and post it somewhere..

if they listen good for them -if it too for them – its no skin of my nose :)-

Adam Ray [PersonRank 0]

18 years ago #

the problem is about the "restricted pages" to every one.
is there anyway to pass the "sorry, restricted page to view" and view the really restricted pages??????

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!