Monday, June 4, 2007

Google Services Security Hole Exposed

Recently, a few security holes has been discovered in various Google services. The zero-case happened when Google Desktop was found vulnerable to an exploit that allows a determined attacker to remotely run most programs installed on a victim's machine. It is a man in the middle (MITM) attack injecting code that forces a user to click on a “Google Desktop result”. The person who discovered the Google Desktop vulnerability posted the details of this attack here.

The case was then followed with the discovery of an XSS attack on Gmail where an attacker could hijack your Gmail session by getting you to visit a malicious website. However, Google promptly fixed this one after it was posted.

Another security hole discovered this week was found in a tool that webmasters can use to request removal of pages. Anyone could traverse up the directory tree to see files on Google’s servers that should be confidential. For instance, a blogger was able to find a root password for one of Google’s databases by simply downloading a file. The most interesting point is that he discovered the password used was utter simplicity: 6 chars long 4 digits and two letters. Pretty ironic given Google's advisory on password strength, isn't it?

Maybe Google should make a mention about these series of incidents in their newly established Security Blog. :P

[Via Googling Google]

1 comment:

Dave Bradley said...

Yet another reason not to use Web 2.0 services and to stick to more traditional standalone tools for email, desktop indexing, news reading etc.

db

Post a Comment

New! You can now receive emails whenever there are follow-up comments by signing into Blogger.

Off-topic posts will be deleted