Details of Google's Latest Security Hole (View post)Art-One | Sunday, January 14, 2007 17 years ago • 9,708 views |
Tony, congrats with your research on the Security Hole. Also thanks for mentioning my initial reporting. I did see the security problem, but I didn't have time to research it more in depth and I'm sure I don't have the knowledge you have to make the whole setup... Thanks again!
One other question, I did report this bug to Google via the blogger support pages. Until today I didn't receive a reply from them. You've reported the bug and they both replied to you and solved the problem in a little more than 3 hours. If -ever- I find an other security hole, what is the fastest way for me to report this to Google? |
Jyaif | 17 years ago # |
I think it's worth mentioning that after changing your password, you should also check if your emails are not automatically forwarded to an other email address. |
TOMHTML | 17 years ago # |
Thanks for the explaination Tony! |
Ionut Alex. Chitu | 17 years ago # |
Lovely story, Tony. You should write more. |
Haochi | 17 years ago # |
<<If -ever- I find an other security hole, what is the fastest way for me to report this to Google?>> Fax to your nearby Google office. :) http://www.google.com/corporate/address.html |
Kylie Manders | 17 years ago # |
I do not trust Google with any of my pesonal information. They are an evil company |
Tony Ruscoe | 17 years ago # |
Art-One said:
<< If -ever- I find an other security hole, what is the fastest way for me to report this to Google? >>
I just emailed: securitygoogle.com
Jyaif said:
<< I think it's worth mentioning that after changing your password, you should also check if your emails are not automatically forwarded to an other email address. >>
Good suggestion. However, in this case I couldn't access Gmail using just the google.com cookie so I wouldn't have been able to change any settings like this. |
Ran | 17 years ago # |
I never liked the way Google handled login/cookies. You could also be signed in through 2 different computers, logout on one computer, but the remaining computer would remain signed in. So let's say you forgot to logout at a computer, you would have no way of getting that computer to logout unless you physically accessed it again, even if you sign in and sign out at a different computer. Add this with the long (and unconfigurable) expire time for login, and you have a problem for forgetful people.
I suppose they did it in the interest of convenience but I would rather have my security. I see people moan about Yahoo expiring all the time (even though it IS configurable) and requiring login again, so I guess there aren't many people who prefer it that way. |
Art-One | 17 years ago # |
Tony: thx, I'll keep that in mind...
|
Elias Kai | 17 years ago # |
I think Adwords Adsense and Google CheckOut has the same problem. |
alek | 17 years ago # |
Great detailed writeup Tony and handled very professionally – so when is the big "G" going to make you a job offer?!? ;-) |
Jyaif | 17 years ago # |
They don't need to, he already works for them for free! |
justinf | 17 years ago # |
congrats – you've made it to the front page of digg.
|
Weber Ress | 17 years ago # |
Portugue Translation of this article – http://www.weberress.com/2007/01/vulnerabilidade-de-segurana-do-google.html |
Niraj Sanghvi | 17 years ago # |
Haochi, have you found yet another exploit? :
http://blogs.zdnet.com/Google/?p=451 |
Tony Ruscoe | 17 years ago # |
I think the one Haochi's found is the same as this one from November 2005: http://jibbering.com/blog/?p=189
It was apparently fixed, so maybe it's just been re-introduced.
[Via http://blogoscoped.com/archive/2005-11-22-n22.html although the permalink is wrong.] |
Ionut Alex. Chitu | 17 years ago # |
the Base XSS: http://digg.com/security/Details_of_Google_s_Latest_Security_Hole#c4741648 |
Peter Gloor | 17 years ago # |
Why it took so long? I personally reported the issue to Google quite a long time ago, but had not the feeling they take it for serious. Sure I couldn't exactly explain what happens but from a company like Goggle I would expect they look at these things with first priority.
Peter |
;Op | 17 years ago # |
I'm surprised of the "fix" that has been applied: it only protects Google apps (mail, etc), but not other web sites which use "reusable" cookies to handle their sessions. So Blogger introduces a security hole to many web servers, and this has not been fixed! Am i missing something? |
Tony Ruscoe | 17 years ago # |
>> Am i missing something?
Yes. The only reason this security hole worked was because I could host a blog on Google's domain. If you enter another website's domain in the "Custom Domain" field, it will simply redirect to that website – unless the owner of the domain is pointing it to ghs.google.com and *not* using it themselves (which is very unlikely) – meaning you would therefore be unable to steal the cookies of anyone using their website. |
David Gonzalez | 17 years ago # |
Hi there!
I am just facing something and wondering if it has to do with the same issue. Here is the story: I have two blogs: nomadtest.blogspot.com, and blognomadland.blogspot.com
and one domain name: www.davidg.es By error, I switched to nomadtest.blogspot.com to custom domain www.davidg.es. In fact I wanted to swicth the other.
When I realised I went back immediately, reversing nomadtest to blogger publishing, then switched blognomadland to www.davidg.es. Surprise, error message saying "this domain is being used by another blog".
So I deleted nomadtest (the whole blog) and I tried again. Still same error. Seems like a blogger caching error, any idea? Now I can not publish my blog on my own domain.... :-((
thanks! |
Tony Ruscoe | 17 years ago # |
David Gonzalez: Here's your answer...
http://labnol.blogspot.com/2007/01/blogger-error-another-blog-is-already.html
<< While you can do nothing about it, the issue can be resolved by writing to the Blogger Support as it requires manual intervention.
The page to contact Blogger support is http://www.blogger.com/problem.g
You can also post a copy of your support request on the Blogger Group from where the Google support team represented by Blogger Buzz and Blogger Employee can pick it up. >> |
Gopal Aggarwal | 17 years ago # |
Keep up the efforts man! |