Slashdot Mirror
GoogHOle Exploits GMail, Picasa and 200K Other Sites
Giorgio Maone writes "Multiple Google-targeted exploits disclosed in the past 3 days could compromise your GMail account, steal your pictures from Picasa or impersonate you on almost 200,000 big sites which outsourced their search engines (vulnerabilities included in the price). If even Google, a very reactive company when web security matters, does face this kind of problems, how serious is the threat and what can you do, as a "normal" web user, to protect yourself?"
How do we blame this on Microsoft?
at the end of the day, when you rely on third party apps run by a completely different company, you can't do ANYTHING to protect yourself.
Normal users? Here?
Is it completely in their hands?
How do I know if I'm vulnerable?
Can I do anything to protect myself?
If you mod this up, your slashdot background will turn into a beautiful sunset!
what's the guarantee that crackers weren't using the vulnerabilities earlier than they were found. I think, the normal user is always vulnerable because the bad guys might, just might have figured the things out earlier and have been using them.
The article is very low on details. I read it and I'm still not sure how it works, whom it affects and what I can do to protect myself (obviously, since I don't know how it works).
It would have been nice if they went into some more detail for technical users.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
According to the article, exploint uses Cross-site scripting, also known as XSS. There is a firefox plugin called NoScript that limits cross site scripts. The article points you to http://noscript.net/features#xss which describes the anti-XSS protection of noscript. The noscript pages suggests that you only load firefox plugins from addons.mozilla.org and sends you to https://addons.mozilla.org/en-US/firefox/addon/722 where you can download noscript.
--- Often in error; never in doubt!
Don't trust your data to 'on line' providers.
---- Booth was a patriot ----
You'll never be safe.
Complex software designed for diverse interactions will always be vulnerable to some kind of attack, even if it's as simple as someone walking out of a data center with a thumb drive in their pocket. Almost every vulnerability stems from a "feature" implemented to make software easier/flashier/useful. Flexibility and expansiveness carry with them the price of vulnerability, and pretending otherwise is to wear blinders.
Of course developers should do their best to prevent security problems -- but there is only so much that can be done when you also need to implement Really Cool Stuff. Every door you make is a door than can be kicked in, no matter how good your locks. The real world has never offered perfect security because it can't -- why expect engineered items to be safe from all evil?
Treat software and computers with caution, like walking through a major city's downtown at midnight. Sure, it's dangerous at times -- but it can also be exciting. Just don't pretend that danger doesn't exist...
All about me
FTFA:
... but I already use a separate SeaMonkey browser profile for my GMail account (don't want it being associated with my normal Google searches), and access untrusted URLs using another browser running under a different user. As a matter of habit (I do web-based stuff and I'm used to having several different browsers open). Probably not 100% foolproof, but helps me sleep easier at night.
I hope that I'll never have to install a patch from google. I that would be the word day. Does anyone know if google will fix this preoblem (I'm not even sure what the problem isother then theres 3 of them) or Are they going to tell us what we need to prevent those exploits?
Seems like these articles are never clear (or I just miss it) but how many of these exploits work on Linux?
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
if only I had followed the trend to use gmail and picasa I would be quite upset
this post contain no useful information, no need to mod it down
If even Google, a "very reactive" company faces these issues, what can be done? The answer: Nothing can be done.
There is no way (unless you're writing something with hundreds, rather than thousands of lines of code) that every code path is going to be audited carefully enough to catch every possible bug. Good coding practices aside, programmers are human and make errors. You do your best to catch as many as you can, and that's all you can do. When you're a "consumer" of code, you look for an organization that seems to be doing this and use their stuff. There's no complete, proactive solution to bugs.
The important thing is that you want someone "very reactive." An organization that acknowledges these flaws up-front, publicly announces vulnerabilities with a work-around until they're patched, and then corrects problems in a timely manner. Some companies are more like this than others.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
That's a no-brainer - many vulnerabilites are found after they have already been exploited.
At the end of the day you can sight all kinds of flaws in Microsoft and closed source software. However, for as you're running that software LOCALLY on your computer, then you have the ability to take measures to protect yourself.
If you're drinking the google-juice just because it's "cool" or you want to support them because they're "not evil", you're only doing yourself a dis-service.
Keep your email local, dont save your passwords on a public "service", dont keep naked pictures of your girlfriend on your "G-Drive", etc etc etc
Common Sense
a luxury for developers.
Patents Drive Free Software as Hurricanes Drive Construction Industry
Neither can you if you hire people to implement it on your own company.
And if you do it yourself, you can be sure that the security will not be higher than your own skill set.
If you want to trust nobody, you might as well retreat to am isolated island somewhere, as you will be unable to function in a society. The key to functioning in a society isn't distrust, but to to be able to judge who to trust and who not to. Which is quite annoyingly mostly a social rather than a technical skill.
----
I personally trust the people at Google more than I trust the people and products responsible for our internal mail solution (which is also available as web mail). Especially with regards to competence (as opposed to integrity). So I would love for us to switch.
It's really an extension of "don't log in as an admin" mentality to web-based services.
But.. but.. just yesterday we were told that Gmail was "revolutionary". /facepalm
I do not respond to cowards. Especially anonymous ones.
Google are among the worst when it comes to being reactive. Example:
Bogtha Bogtha Bogtha
perhaps one of the simplest examples of a program involving transactions and user interaction
now consider the number of hacks you can use to exploit a vending machine (granted many are physical hacks, but you could call that analogous to social engineering hacks involving "real" software)
now, if something as simple and as straightforward as a vending machine can be exploited, then the obvious conclusion is that:
we should not express shock that google can be hacked, but we should express shock that any of us expected it couldn't be hacked
any computer program of sufficient complexity will be hacked. not could be. will be
and the internet is well into the zone of "sufficient complexity"
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Comment removed based on user account deletion
You obviously need to exploit a GoogHOle.
I have excellent Karma and I am not afraid to Troll it.
"..If even Google, a very reactive company when web security matters, does face this kind of problems, how serious is the threat and what can you do, as a "normal" web user, to protect yourself?"..
It's to do with size of target! Google is a big target. I'm not. I don't need much security at all, because I don't attract attention to myself.
But if you want to scare the security freaks, go right ahead. Me, I'll keep my head down.
> what can you do, as a "normal" web user, to protect yourself?"
Nothing! Me, I'm not normal so I disable javascript and am unable to use sites or services requiring it. Usually I'd be berated for disabling script but I have observed that the detractors remain quiet when events like this occur.
It doesn't matter how many ad networks, social networks and other online services have to be used to deliver malware, compromise desktop machines or user accounts; javascript proponents remain in denial.
Security Through Multiple Personality Disorder
which is of course a joke, but is a philosophically sound observation: you can't steal the identity of someone whose identity is fluid
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Turn off client side scripting.
OR
echo "127.0.0.1 google.com" >> etc/hosts
When I first started in web development it was hammered into us that client side scripting MUST degrade gracefully. What ever happened to that rule?
I hate sites locked to "Web2.0" only! For the most part I will not use them. There are only a handful of URL's in my scripting white list, most of them my own sites.
Yes, I use some client scripting, but it degrades properly.
Looks like Google will not be the FOSSie community's "great white hope" coming out to beat Microsoft and show them how it's done.
Google is great and all, in a late 90's dot-bomb "new economy" way (I mean, who doesn't like free stuff?), but eventually the price of having all your personal information in Google's huge data mine is going to cost far more than it's worth.
Perhaps we'll see a temporary decline in falling chairs?
And Slashdot seems to be triggering NoScript quite a lot.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Don't draw attention to yourself.
If they don't have a reason to target you, they probably won't.
well, i use flexcar (rental car sharing), and it is WONDERFUL. I don't have to maintain it, deal with insurance, nada. I just use their car, and walk away when I am done with my rental.
I handle most third party apps for the Mac (which are usually on a .dmg) like this : .dmg to ~/noinstall/. .dmg.
(1) Download
(2) when I wish to use that app I mount the image and use app from the temporarily mounted image.
(3) When done using app unmount
(4) Profit!
Of course there are quite a few GNU apps on my Mac which were built and installed from source, but I've never had a reason to feel leery of those. All the G-apps and all third party proprietary apps are in ~/noinstall. Always knew that would pay one day...
Caveat Utilitor
If you've been stupid enough to follow the links, you can disable the forwarding from GMail's Settings->Forwarding and POP->Disable forwarding
LOL.
I didn't know you were posting at -1 these days. I remember when you had excellent karma. How the mighty ignorant have fallen.
You just made my day.
I don't let websites keep my credit card info, or any password other than the one needed to unlock their own site, or any other personal info that is valid outside their own realm, unless their service won't work otherwise.
The Web would be a lot more secure if my browser had a keyring integrated with my own computer, and I kept my secrets on my own computer under my own control. When challenged by any server for a secret, my browser or other client SW I'm using should pull the secret from the keyring and supply it to the server. That service should let me use a master key from any remote terminal to query my own computer, over my home broadband or wherever I keep the secrets. All by a standard protocol that lets me just fill web forms (and other challenges) as I do now, possibly entering the master key and maybe an additional confirmation challenge to let the 3rd parties communicate, but otherwise just as transparent as just filling in the forms.
If a 3rd party server is going to store my secrets, I want it to be my bank. I don't know why banks haven't gotten into this business already, after well over a decade watching their profits multiply from the Web, along with many risks. Maybe Google will push a key distribution protocol like this in partnership with some banks. That would also finally get Google into the payment business to challenge eBay's PayPal, which I hate precisely because its (mostly unregulated) global Internet bank is a monopoly, and I don't trust PayPal with my secrets. If Google does recover from this crack, they might be solid enough to trust.
--
make install -not war
Of course, exploitable programs are all Microsoft's fault - which must be why the remote root exploits for Quake 1 and 2 for Linux must be all Linus' fault!
Let's be honest, exploitable applications are OS independent. Though I guess honesty never really comes into it with you, hmm?
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
I see many here making excuses for Google ("You'll never be safe with online service providers", "There's nothing Google can do", etc) and offering solutions ("Use Firefox with Noscript", etc). But I can't help but laugh because I know that if this were about Microsoft web services being exploited, the comments would be completely different. The number of comments would be at least five times greater than they are here and would be filled with gloating and screaming over Microsoft's "incompetence" and whatnot.
You know that there is some truth in what I say.
It looks to me that there are major holes in Google's services, and they need to be called out on it, not given excuses.
-- "I never gave these stories much credence." - HAL 9000
How can anyone know for certain if the vulnerabilities they are finding and patching are truly overlapping that of the vulnerabilities exclusive to the bad guys (yellow circle overlapping red circle), or if they are finding vulnerabilities outside of those known exclusively by bad guys (yellow peanut shape)?
Has anyone bothered to stop and think that maybe, just maybe, we should be focusing on making the totality of vulnerabilities (blue circle) smaller instead of focusing on making the vulnerabilities known by the good guys (yellow circle) eclipse that totality (blue one)?
libertarian: (n) socially liberal, financially conservative; neither left, nor right.
libertarian: (n) socially liberal, financially conservative; neither left, nor right.
There are no absolutes but the risks could be reduced by not using such bleeding edge tech/services (which seems against the Google always-beta policy), or by having true AI (not there yet though maybe something useful could be done now) at all the major nodes of the net that can understand what is going on in real time and block off those parties (although this is vulnerable to distributed attacks).
However this is perhaps good for me since I write search engines. One I installed at a big company for 5 years (and beat out Alta Vista at the time) got outsourced to Google instead when the replacement hardware manufacturer went out of business. Presumably though such a company as that one would not really even see the current vulnerability news as a blip on the radar yet, so Google has a short grace period to respond.
How about people who were looking to move their internal office applications to google (there were hundreds of people here on Slashdot saying they were planning on doing just that), are their critical private documents at risk or not? I've never been fond of software as a service for internal business functions, and this seems like another concern point against it.
FTFA
"For such an attack to be successful, the victim just needs to visit a malicious website while logged in Google, e.g. by following a link from an incoming message"
So, if I use Outlook (yeah, yeah) and POP to get my gmail and have it open, is that the same as being logged into Google while I surf with Firefox? Anybody know?
Outside becomes the new inside.
.doc files, or sends me all their cookies, etc.
I can't get through your layered firewalls and paranoid exchange configuration directly. However, I can send a few users email with "CLICK HEAR FOR CUTE LOLCATS PICZ" links. When they visit that site, they get humorous cat image macros and some nasty javascript that silently scans your intranet for vulnerable applications, or uploads a few random
0 1 - just my two bits
That's only true because the W3C and the browser people aren't interested in helping make things more secure.
:).
;).
;) ).
I've been proposing the following for _years_:
http://www.google.com/search?num=100&hl=en&safe=off&q=%22Tag+to+disable+unwanted+features%22
http://lists.w3.org/Archives/Public/www-html/2002May/0021.html
http://www.mail-archive.com/mozilla-security@mozilla.org/msg01448.html
http://lists.w3.org/Archives/Public/www-html/2007Aug/0008.html
It will help. But I'm no longer going to bother explaining in detail how anymore (read the links if you're interested). Since:
0) I already tried many times
1) Nobody who can do anything about it really cares or is listening
2) On the bright side, it means more money in the IT security business. $$$
I'm just saying a) yes, something can actually be done to make things better. And it isn't just Google's fault or a Mozilla or IE problem, and b) "I told you so"
People who say we only need good server side filtering are stupid and/or ignorant. In the real world the web browsers don't parse everything the same way. So how is your server side filtering going to cover all the cases? The attacker just needs one exploitable "discrepancy" and they're in.
Of course my proposal won't fix everything, but just because brakes don't prevent all car crashes doesn't mean we don't need brakes and we should just tell drivers to drive better and avoid crashes (or just raise "security exceptions" if stuff happens
According to Twitter, Microsoft is to blame for all of the problems in the history of the universe. Heck, all viruses that compromise the human immune system must be the fault of Microft according to twitter. Twitter is a nut case and everyone should treat him as such, no matter which OS he advocates for or against.
Many of these "online services" are done better by local software anyway. Why put your security in the hands of others, especially when they are in a much more vulnerable position (web-based service)??
Just Google it!
The "pwned" tag.
Hahahahah! If I didn't know better I'd say you're actually serious. Thanks for the chuckle!
nothing. relax and wait for google to fix the problem, as they surely will. Everything has some vulnerabilities, but the odds of them targeting me out of millions of people is very low. so low it's not a risk I feel any need to worry about. The endless "security" mantra is bullshit, mostly used to whip clueless consumers into making various moves from or to some product. Really it's an iterative process, an arms race if you will. Anything can happen. your office or home can be broken into very easily too ya know. So what? If you're really so fucking concerned about your precious pictures being access through picasa, maybe you should just learn to burn them to a cd and mail them to people.
Newsflash - thanks to your own stupidity, there are few people on Slashdot who don't know that Erris and Twitter are the same person. Or is it just a coincidence that you both submit the same journals to the Firehose, both come from Baton Rouge, and both have the same "fuck shit" style of posting, down to the phrasing and the choice of external links you use to emphasise your failing, irrelevant point of view?
I submit it is not - the quicker you stop gaming Slashdot the better for everyone.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
The problem Microsoft have with this regard is that a) there *are* security issues with windows that simply do not occur elsewhere and popularity *is* an issue. Windows is less secure than its OSS counterparts when coupled with a user and an internet connection, this isn't just poor design or poor planning, much of it has to do with how applications use the Win32 API and the sheer complexity of the same. b) When a Windows exploit is identified, whether it is an Office issue, a OS issue, IE issue, a driver issue etc. (even a totally third party application issue) it is seen as a Microsoft issue (not an office team/explorer team etc..). In the OSS world an exploit is at most associated with whichever application it found contained in*, it is rarely seen as a *Linux* issue, and frankly that is fair, Linux is far more modular than windows (and as such (at least in places) less well integrated)
As for twitter, I have to say its getting a little bit boring, both reading that everything is Microsoft's fault and the twitter bashing. twitter seems to have valid points sometimes and as such I wish people would respond with regard to the post rather than the person posting.
Not that my wishing for things gets me anywhere!
*Unless it is a study comparing open and closed source, in that instance whichever method is better for the study sponsor will prevail.
"Normal" is in quotes now?
WARNING: Smartphones have side effects--most of them undocumented.
Any other story about an exploit in a web application gets the "it's the lazy internet programmers fault" - but of course if it's the blessed google it can't possibly be that.
All hail google.
This has to be the stupidest industry on the planet.
I'm a very paranoid guy, so much so that I went to the insane step of deleting the cache and cookies of my browser before and after going to porn sites for fear of exactly such an attack surfacing. So assuming these exploits have been known for some time before this, I can be a little more sure of none of my accounts having been compromised. :S
I'm not even sure if this is a good or bad thing
p.s: I went the hell out and got noscript right now but its often useage of 'scripts partially allowed' is freaking me out. Wtf is it partially allowing? Even on the TFA, which links to the exploit, the page which they say demonstrates the exploit shows noscript partially allowing 2/3
I only bother posting to a twitter if it's painfully obvious he's doing his usual. Sometimes, when it comes to privacy issues and other things, he usually speaks a very candid and pragmatic line - it's just a lot of the time he drifts off into closed-source paranoia and quite often makes everything up.
As for your comment, yes, I understand Windows is less secure (for one reason or another) than other options, but to blame application-related holes on them is completely wide of the mark and he's aware of it - he just wants to use any excuse to push people off the platform... not that I'm under any illusions that the Ones Who Make The Decisions (much honour be upon them) listen to him.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Very reactive is all well and good - but very proactive is better.
twitter prepares to do battle with the evil Micro$haft Winblowz. Go get'em tiger!
there are few people on Slashdot who don't know that Erris and Twitter are the same person.
The only people who know that are fags like you who want to blow him.
All you have to do to shut down the IE hole on Windows is to open Internet Settings and make your proxy 127.0.0.1 (assuming you're not running a proxy locally, of course). This will make IE fail every time it attempts to access any remote site. If you still want to do Windows Updates, and you probably do, then add exceptions for the sites it needs explicitly.
"At the end of the day you can sight all kinds of flaws in Microsoft and closed source software. "
Close, but not quite.
Sight (v): to acknowledge that you have seen or received a document, as in, 'inwards goods has sighted the receipt'
Cite (v): to quote as a reference or source in an argument, as in, 'I can cite 5,124 open bugs in Microsoft Office to support my case'
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
DMG's are interesting. Take all the vagaries of file systems -- and seriously, they're infamously fragile, like little else actually -- and hand attacker controlled bytes to parsers that live in the kernel.
Boom. Seriously.
microsoft had a hand in halo 3. titter had a hand in his pants. nuff said.