Tony Ruscoe, who found Google’s latest vulnerability, goes in detail about how he found the problem, what it would have meant for victims, and exactly how it worked. He explains how a new feature in Blogger was easily exploited to give him access to Philipp’s Google account.
Google was quick on the ball to fix the problem — just as they were on January 1st when the contact list hijacking vulnerability was discovered. It took about three hours to remove the page Tony had posted on Google’s servers, and later that night they responded with this message:
“Thank you for reporting this issue to us. We take the security of our users and their information very seriously. We wanted to let you know that we addressed this problem with expediency and have taken steps to ensure it cannot occur again.”
Blogger, Goolge, Security, Privacy