Latest Security Hole Details

Tony Ruscoe, who found Google's latest vulnerability, goes in detail about how he found the problem, what it would have meant for victims, and exactly how it worked.  He explains how a new feature in Blogger was easily exploited to give him access to Philipp's Google account. "As any web developer will know, a page hosted […]

Tony Ruscoe, who found Google's latest vulnerability, goes in detail about how he found the problem, what it would have meant for victims, and exactly how it worked.  He explains how a new feature in Blogger was easily exploited to give him access to Philipp's Google account.

"As any web developer will know, a page hosted at an address like ghs.l.google.com is perfectly capable of reading and writing google.com cookies, which meant that when Philipp visited my “proof of concept” page hosted on the ghs.l.google.com domain, I was able to “borrow” his google.com cookie data. This can be easily achieved using some simple JavaScript that would read the cookie and place the data into a hidden form field element. The form could then be automatically submitted to another server which would be hosting a server-side script capable of logging the form data to a database, text file or send it in an email."

Google was quick on the ball to fix the problem — just as they were on January 1st when the contact list hijacking vulnerability was discovered.  It took about three hours to remove the page Tony had posted on Google's servers, and later that night they responded with this message:

"Thank you for reporting this issue to us. We take the security of our users and their information very seriously. We wanted to let you know that we addressed this problem with expediency and have taken steps to ensure it cannot occur again."

ZDNet

Blogger, Goolge, Security, Privacy