

Whoa, Google, That's A Pretty Big Security Hole - bdb
http://techcrunch.com/2010/11/20/whoa-google-thats-a-pretty-big-security-hole/

======
randomwalker
I've been tracking security holes that leak your identity for a while.

Via a bug in Firefox's Error object: [http://33bits.org/2010/06/01/yet-
another-identity-stealing-b...](http://33bits.org/2010/06/01/yet-another-
identity-stealing-bug-will-creeping-normalcy-be-the-result/)

Via a bug in Google spreadsheets: <http://33bits.org/2010/02/22/google-docs-
leaks-identity/> (I found this one :-)

Via history stealing: [http://33bits.org/2010/02/18/cookies-supercookies-and-
uberco...](http://33bits.org/2010/02/18/cookies-supercookies-and-ubercookies-
stealing-the-identity-of-web-visitors/)

More sophisticated, but hypothetical version of previous:
[http://33bits.org/2010/02/19/ubercookies-history-stealing-
so...](http://33bits.org/2010/02/19/ubercookies-history-stealing-social-web/)

XSS bugs and other problems with Instant personalization partner sites:
[http://33bits.org/2010/09/28/instant-personalization-
privacy...](http://33bits.org/2010/09/28/instant-personalization-privacy-
flaws/)

I've also been predicting that this will eventually become the new normal --
both because the bugs are coming too fast to fix (and exploits in the wild
will become more common) and because Facebook is pushing to change people's
expectations with Instant Personalization.

The other day I attended a talk about one-click frauds. I realized that that's
the perfect black-hat use-case for this class of attacks (although current
1-click fraudsters are apparently rather low tech). Stay tuned.

~~~
tptacek
Bugs that allow remote attackers to _take over your computer_ when you hit an
evil web page are also coming almost too fast to fix. They aren't the new
normal, so I see no reason to back down on these kinds of problems either.

(You don't hear about most of these bugs, because the people who find them
don't usually publish before the patch hits, but ask anyone who's reported a
bunch of browser bugs how long they waited for fixes.)

~~~
randomwalker
That's a very good point. Sorry if I was unclear earlier -- I don't think we
should give up on trying to find/fix these bugs. I was thinking more along the
lines of (1) improving user education (2) improving private browsing mode to
deal with these attacks even at the expense of compromising some
functionality. Mozilla has already been thinking along these lines:
[https://wiki.mozilla.org/Security/Anonymous_Browsing#Anonymo...](https://wiki.mozilla.org/Security/Anonymous_Browsing#Anonymous_Browsing_Mode)

As for whether it will become the new normal, that remains to be seen, but I
think there are a couple of differences compared to regular privilege-
escalation exploits: (1) everyone agrees that taking over your computer is
malicious, whereas the perception of identity leaks is malleable (2) identity
leaks are harder to deal with: even after the relevant bug is fixed, the
attacker still has the mapping of your identity to your IP/browser
fingerprint.

But thanks for the comparison and I will keep an open mind about this :-)

------
mlinsey
Didn't something similar happen with Wattvision when they launched? It was a
bug in GAE authentication-the site didn't even intend to do that.

~~~
chopsueyar
Shabam!

<http://news.ycombinator.com/item?id=1794800>

------
hokkos
The non automatic version of this (with a appspot domain, not considered a
bug, the guy logged in) has been used to discover the true identity of a guy
who claimed to reveal insider info on Twitter about the French Socialist party
(left - Partie Socialiste), he is a member of the opposite party UMP (right).

[http://www.rue89.com/2010/09/30/comment-le-faux-twitter-
du-p...](http://www.rue89.com/2010/09/30/comment-le-faux-twitter-du-ps-tenu-
par-lump-a-ete-debusque-168962)

~~~
woodall
I found this[1] when playing with the Google Code Play Ground. Not really a
vulnerability, but: i. it is on the appspot domain ii. I can do ANYTHING I
want; make a site, force redirection iii. That's all I have

*They were notified a while back.

How they can fix it? i. Check ip of sender and receiver ii. Use htmlfill or
append a new script instead.

[1]
[http://www.christopherwoodall.com/blog/?x=entry:entry100814-...](http://www.christopherwoodall.com/blog/?x=entry:entry100814-052131;comments:1)

------
eitland
Isn't google giving away money for documented security breaches?

------
subbu
Its funny that Google says "We encourage responsible disclosure of potential
application security issues to security@google.com" yet they didn't reply back
to this hacker who exploited the hole.

~~~
studer
And you know for sure that he contacted them that way?

------
mp6877
I just don't feel safe with Facebook connect. Seems like someone can get
information from that as well. Don't like the whole logged in while on
Facebook, to the whole internet.

------
Natsu
One way to mitigate most of these holes is to separate email from web
browsing. Some people actually use two different computers or browsers, but I
just make sure to log out (not just close the tab with) my email before I
browse any other sites. Even sites I trust (because they could have been hit
by XSS or something).

------
corin_
It's clear this issue will be resolved shortly by Google (the site's already
dead).

I just hope that, once fixed, the exploit is released for inspection.

~~~
topherjaynes
It's not like it was a Google site (gmail, gCal, or whatever) they took down.
Google took down his personal blog, which seems really sketchy. Fixing the
problem involves more than just taking down the site they says there is a
problem.

~~~
studer
Posting an active exploit to their hosting service is a pretty massive
violation of the blogger ToS, though...

------
mike-cardwell
Stuff like this is why I use an IMAP client instead of webmail.

~~~
mbreese
I still use webmail, but I use a Fluid.app (or Prism) wrapped version of Gmail
so the authentication info doesn't get shared with my main browser (Chrome).

This is a handy, albeit unintentional, benefit of using an Desktop app-ified
web site.

~~~
mike-cardwell
Cool. I didn't know there was anything like Fluid.app. I'll give it a try.

------
acex
i also think of it as feature. or near to it. hate signing up for sites as a
user and as a developer hate that chicken egg issue with users who hate to
sign up. i visit the site i click send me password and site looks me up sends
me new password or remainder and i log in by just typing password. this as an
example.

~~~
panacea
My head hurts slightly from trying to parse your comment. I realize English
probably isn't your first language, but I think you should try and rephrase it
if you want to be understood.

~~~
mogilny
translation: user privacy is a barrier for him as a developer, just like
english.

~~~
pyre
More concisely, he/she wants to be able to discover a user's email address
when they visit a site, so that the user just has to click a "create an
account, and email me my password" button. (i.e. removing barriers to user
sign-up to his/her site) This obviously conflicts with the idea that a user
should be able to keep that information private.

------
spoiledtechie
If I was google, I would probably offer him a job...

------
drivebyacct2
Why has not a single person mentioned that TC is just wrong? The problem is
not that it gets your email address... it looks like it's likely that the
website isn't even getting the gmail address.

It's much worse. The blog author is able to send emails through an API that
appear to be from "noreply@gmail.com" with the proper headers. So instead of
getting a funny little email, you get a phising email that even gmail isn't
smart enough to block.

But, I mean, sure, let's act scared that some website can get my gmail. You
want it? I'd be happy to give it to anyone, spam or otherwise.

~~~
yanw
Yup:

 _Update 4: Google says the issue is now resolved: “We quickly fixed the issue
in the Google Apps Script API that could have allowed for emails to be sent to
Gmail users without their permission if they visited a specially designed
website while signed into their account. We immediately removed the site that
demonstrated this issue, and disabled the functionality soon after. We
encourage responsible disclosure of potential application security issues to
security@google.com.”_

