

Google Apps Loophole, Let You Access Other’s Domain Login Details - doh
http://jajodia-saket.sjbn.co/2012/07/google-apps-loophole-let-you-access-others-domain-login-details/

======
cpunks
This is quite exactly why I would never consider using the Google cloud, or
any customer-facing Google services for our business. Google is set up for
B2B, not B2C. Their job is to minimize customer service calls. We use Google
Apps at our business. The absolute only way we've been able to get useful
support when something breaks was to either call up a VP-level contact, or
call up a colleague who works at Google, and ask for a personal favor. This
does not scale.

I also know of the number of serious Google bugs we've run into that we just
didn't report because, quite frankly, we gave up on any bug reporting process
having any effect.

Contrast this to Amazon where our rep can put us in contact with engineers in
a few minutes, and who are of the caliber that they can e.g. help us recover a
database where the RAID volume Amazon hosted it on was damaged in a power
outage.

~~~
gouranga
I've had the same experience as well which is why we canned Google Apps during
the trials for our business. We had a show stopper when doing a test exchange
migration and we never got an email reply and never found a human to talk to
that could help. That failed the risk mitigation criteria of the trial so we
binned it.

I have absolutely no faith in them to actually sort something out in a
reasonable amount of time.

Conversely, we used Office365 in the end and it blew up(ironically with a
similar issue) during the trials. We had someone useful on the phone helping
us in under 20 minutes!

I've not had much luck with Amazon, particularly S3 as we had a number of
issues with the .Net client and they weren't very helpful. Stackoverflow was
far more useful but I don't want to trust stackoverflow as a long term support
option!

~~~
cpunks
With Amazon, we have a business support contract. The first-line phone
operators are pretty bad -- they're neither technical nor fluent in English --
but we've been able to work up to competent people pretty quick in the one
emergency we've had since launching. Both organizations are courting us pretty
hard, so we may be a special case.

Google is a little weird. They've insisted on e.g. a conference calls with a
half-dozen guys from Google, including one executive-level. That call was
entirely one-sided. They told us about all sorts of features they were
building because they thought our market segment needed them (zero of which
were actually useful to us, and which they could have discovered with even
very minimal market research). In that conference call, they didn't listen to
any of our bugs or feature requests. Whenever we've submitted support requests
through official channels, they went into what was effectively a black hole
(sometimes, we'd get a slightly derogatory response from someone clearly
powerless and clueless). Things we submit to through high-level contacts get
handled -- roughly as well although slightly slower than normal, paid contacts
at Amazon. The culture at Google is a little weird, at least with respect to
dealing with large customers.

We do use Google Apps internally. It's imperfect and has showstoppers, but in
my experience, corporate IT departments are even more imperfect, and have even
more showstoppers. Based on our experiences, I'd be absolutely terrified of
using Google for anything customer-facing.

------
sudhirj
Either way, this is a fairly noob error - confusing authentication with
authorization. I'm very surprised that business critical G Apps team hasn't
caught on to this before.

They should probably give him the maximum reward just to attempt to save face
on this.

Anyways, from now on (from
<http://www.google.com/about/company/rewardprogram.html>):

>If you have found a vulnerability, please contact us at security@google.com.
Feel free to be succinct: the mailbox is attended by security engineers, and a
short proof-of-concept link is more valuable than a video explaining the
consequences of an XSS bug. Oh: if necessary, you can use this PGP key.

~~~
SaketJajodia
Ya it is a kind of noob error but as its a human made thing so mistake can
happen..

------
poundy
I panicked initially thinking this issue was not yet resolved by Google!

Well done Saket, thanks for waiting for the bug to get fixed before posting
your article.

~~~
SaketJajodia
Even when I show this bug 1st, I was totally shocked how this can be
possible..

------
AndrewDucker
It really does feel that video demonstrations of bugs are the way to go, if
you're trying to convince teams of a problem.

~~~
boundlessdreamz
I think he reached out to the support team instead of the security team.
Pretty stupid of the support team to not take security bug reports seriously.

~~~
asto
I'm not very surprised. If he told me about it, I would find it quite hard to
believe that Google's programmers made such an error too.

~~~
fletchowns
It's always the assumptions that get you.

~~~
yuliyp
This. A thousand times this. Especially when investigating security issues,
assume everything could be vulnerable or broken until proven otherwise.

------
jyap
This bug seems glaringly obvious. Any page which has the user login and
password credentials for Enom Domain Manager page would initially have someone
like me who is more security conscious looking at things like the URL and also
noticing this type of bug.

Then again, you'd need to buy your domain through Google Apps to notice this.
Maybe not many people buy their domain through Google Apps?

I'm interested to know how long this bug was out in the wild before it was
found. Months? Days?

Good find Saket and great story.

~~~
SaketJajodia
Ya not many people buy domains through Google Apps.. And I am not sure about
from how long this bug was there because I soon as I show it I reported about
the same.. Thanks.. :)

------
noomerikal
He should have asked for their names and added them to the blog post. That's
pretty lame to be laughing at someone, most likely because english is his
second language and the explanation technical in nature.

He's a better man than me. I probably would have hung up and posted directly
to here instead.

------
edcrfv
There was a similar and recent vulnerability in google webmaster tools as
well.

Very scary. But what stellar alternatives exist for startups?

