Tony, congrats with your research on the Security Hole. Also thanks for mentioning my initial reporting. I did see the security problem, but I didn't have time to research it more in depth and I'm sure I don't have the knowledge you have to make the whole setup... Thanks again!

One other question, I did report this bug to Google via the blogger support pages. Until today I didn't receive a reply from them. You've reported the bug and they both replied to you and solved the problem in a little more than 3 hours. If -ever- I find an other security hole, what is the fastest way for me to report this to Google?

I think it's worth mentioning that after changing your password, you should also check if your emails are not automatically forwarded to an other email address.

Thanks for the explaination Tony!

Lovely story, Tony. You should write more.

<<If -ever- I find an other security hole, what is the fastest way for me to report this to Google?>>
Fax to your nearby Google office. :)
http://www.google.com/corporate/address.html

I do not trust Google with any of my pesonal information. They are an evil company

Art-One said:

<< If -ever- I find an other security hole, what is the fastest way for me to report this to Google? >>

I just emailed: securitygoogle.com

Jyaif said:

<< I think it's worth mentioning that after changing your password, you should also check if your emails are not automatically forwarded to an other email address. >>

Good suggestion. However, in this case I couldn't access Gmail using just the google.com cookie so I wouldn't have been able to change any settings like this.

I never liked the way Google handled login/cookies. You could also be signed in through 2 different computers, logout on one computer, but the remaining computer would remain signed in. So let's say you forgot to logout at a computer, you would have no way of getting that computer to logout unless you physically accessed it again, even if you sign in and sign out at a different computer. Add this with the long (and unconfigurable) expire time for login, and you have a problem for forgetful people.

I suppose they did it in the interest of convenience but I would rather have my security. I see people moan about Yahoo expiring all the time (even though it IS configurable) and requiring login again, so I guess there aren't many people who prefer it that way.

Tony: thx, I'll keep that in mind...

I think Adwords Adsense and Google CheckOut has the same problem.

Great detailed writeup Tony and handled very professionally – so when is the big "G" going to make you a job offer?!? ;-)

They don't need to, he already works for them for free!

congrats – you've made it to the front page of digg.

Portugue Translation of this article – http://www.weberress.com/2007/01/vulnerabilidade-de-segurana-do-google.html

Haochi, have you found yet another exploit? :

http://blogs.zdnet.com/Google/?p=451

I think the one Haochi's found is the same as this one from November 2005: http://jibbering.com/blog/?p=189

It was apparently fixed, so maybe it's just been re-introduced.

[Via http://blogoscoped.com/archive/2005-11-22-n22.html although the permalink is wrong.]

the Base XSS:
http://digg.com/security/Details_of_Google_s_Latest_Security_Hole#c4741648

Why it took so long? I personally reported the issue to Google quite a long time ago, but had not the feeling they take it for serious. Sure I couldn't exactly explain what happens but from a company like Goggle I would expect they look at these things with first priority.

Peter

I'm surprised of the "fix" that has been applied: it only protects Google apps (mail, etc), but not other web sites which use "reusable" cookies to handle their sessions. So Blogger introduces a security hole to many web servers, and this has not been fixed! Am i missing something?

>> Am i missing something?

Yes. The only reason this security hole worked was because I could host a blog on Google's domain. If you enter another website's domain in the "Custom Domain" field, it will simply redirect to that website – unless the owner of the domain is pointing it to ghs.google.com and *not* using it themselves (which is very unlikely) – meaning you would therefore be unable to steal the cookies of anyone using their website.

Hi there!

I am just facing something and wondering if it has to do with the same issue. Here is the story:
I have two blogs: nomadtest.blogspot.com, and blognomadland.blogspot.com

and one domain name: www.davidg.es
By error, I switched to nomadtest.blogspot.com to custom domain www.davidg.es. In fact I wanted to swicth the other.

When I realised I went back immediately, reversing nomadtest to blogger publishing, then switched blognomadland to www.davidg.es. Surprise, error message saying "this domain is being used by another blog".

So I deleted nomadtest (the whole blog) and I tried again. Still same error. Seems like a blogger caching error, any idea? Now I can not publish my blog on my own domain.... :-((

thanks!

David Gonzalez: Here's your answer...

http://labnol.blogspot.com/2007/01/blogger-error-another-blog-is-already.html

<< While you can do nothing about it, the issue can be resolved by writing to the Blogger Support as it requires manual intervention.

The page to contact Blogger support is http://www.blogger.com/problem.g

You can also post a copy of your support request on the Blogger Group from where the Google support team represented by Blogger Buzz and Blogger Employee can pick it up. >>

Keep up the efforts man!