Slashdot Mirror

← Back to Stories (view on slashdot.org)

GoogHOle Exploits GMail, Picasa and 200K Other Sites

Posted by CmdrTaco on from the hate-when-that-happens dept.

Giorgio Maone writes "Multiple Google-targeted exploits disclosed in the past 3 days could compromise your GMail account, steal your pictures from Picasa or impersonate you on almost 200,000 big sites which outsourced their search engines (vulnerabilities included in the price). If even Google, a very reactive company when web security matters, does face this kind of problems, how serious is the threat and what can you do, as a "normal" web user, to protect yourself?"

31 of 167 comments (clear)

  1. Nothing... by saleenS281 · · Score: 3, Insightful

    at the end of the day, when you rely on third party apps run by a completely different company, you can't do ANYTHING to protect yourself.

    1. Re:Nothing... by Billosaur · · Score: 3, Insightful

      Well, you can certainly stop using the apps... It's the problem of a user becoming too invested in any one thing (OS, DB, etc.). Whenever you become a pundit, a die-heard fan, or even just a casual, everyday user, you buy the whole package, bugs and all. You not only accept that an app proves useful to you, but that it will contain flaws that may prove problematic. Everyone seems to accept that because it is Google, they write perfect code. No way. The quality of code today is such that flaws such as these are inevitable. This doesn't make Google bad, stupid, or irresponsible; it's just part of the business. They will fix these things and life will go on.

      --
      GetOuttaMySpace - The Anti-Social Network
    2. Re:Nothing... by Anonymous Coward · · Score: 1, Insightful

      This is exactly why I do not use any "Web 2.0" applications, why I still rely on an "old fashioned" POP3 mailbox and a real email client, and why ultimately all this Web 2.0 nonsense with centralised data that you access over the internet will fall through.

      Because it isn't secure. Even a little bit. It only takes one cracker to find a way in and all your data is no longer secure and there is nothing you can do about it!

      Here's me being all old fashioned and actually taking control of my own data. Silly me!

    3. Re:Nothing... by Silver+Sloth · · Score: 5, Insightful

      But I didn't build my car, my house, amy of my white goods, in fact 99% of what I use every day was built by third parties. I can and should demand that the good I purchase reach certain standards - in the UK this is enforced by law.

      However, anything I accept for free, anything where there isn't some sort of agreed contract between my and the supplier, then caveat emptor (pun intended)

      --
      init 11 - for when you need that edge.
    4. Re:Nothing... by dragonfoe · · Score: 2, Insightful

      So only people who write hteir own code are safe?

    5. Re:Nothing... by ajs · · Score: 2, Insightful

      There are some things you can do to protect yourself. I've been running my own mail server for over 10 years, and I have to say that it's the least of my headaches from my home server. Keeping up with spam filtering technologies is a mild pain, but SpamAssassin has gotten quite good at making that less of an issue. I do wish MX handling were smarter than it is, but you don't *have* to worry about it.

      The only thing is that it ends up costing me in ISP price. Most of the net has gravitated toward the position that MTAs are not valid if they're within dynamic IP ranges, which painful though it may be to see the "network of peers" reduced to the "network of clients and servers," I had to adapt to. Sadly everyone and his brother now believes that static IP addresses are some sort of "advanced business solution," so you have to go to a small provider like Speakeasy to get decent pricing.

    6. Re:Nothing... by Whatanut · · Score: 2, Insightful

      Surely you're using secure pop3. And not just sending your password to the server in clear text...

      --

      yvan eht nioj
    7. Re:Nothing... by aaronl · · Score: 4, Insightful

      This is true, however, there is one very large difference between Google and everything that you listed. While Google build the apps, similar to case of your car, house, etc, they are also operating and maintaining the product. The car manufacturer doesn't *run* your car, or maintain it. If it break, you go somewhere and pay a different third party to fix it, or you fix it yourself. In Google's case, they have your car, and keep it running, and they come around and drive you places when you want them to.

  2. How to Protect Yourself? by nurb432 · · Score: 3, Insightful

    Don't trust your data to 'on line' providers.

    --
    ---- Booth was a patriot ----
  3. Safety is an Illusion by ChaoticCoyote · · Score: 5, Insightful

    You'll never be safe.

    Complex software designed for diverse interactions will always be vulnerable to some kind of attack, even if it's as simple as someone walking out of a data center with a thumb drive in their pocket. Almost every vulnerability stems from a "feature" implemented to make software easier/flashier/useful. Flexibility and expansiveness carry with them the price of vulnerability, and pretending otherwise is to wear blinders.

    Of course developers should do their best to prevent security problems -- but there is only so much that can be done when you also need to implement Really Cool Stuff. Every door you make is a door than can be kicked in, no matter how good your locks. The real world has never offered perfect security because it can't -- why expect engineered items to be safe from all evil?

    Treat software and computers with caution, like walking through a major city's downtown at midnight. Sure, it's dangerous at times -- but it can also be exciting. Just don't pretend that danger doesn't exist...

    --
    All about me
  4. Re:Call me paranoid... by neurovish · · Score: 3, Insightful

    ... but I already use a separate SeaMonkey browser profile for my GMail account (don't want it being associated with my normal Google searches) ...and this "gmail only" browser is on the same computer, with the same IP as the one you use for general google searching? I think they'd figure that out.
  5. The answer is in the question... by blueZ3 · · Score: 4, Insightful

    If even Google, a "very reactive" company faces these issues, what can be done? The answer: Nothing can be done.

    There is no way (unless you're writing something with hundreds, rather than thousands of lines of code) that every code path is going to be audited carefully enough to catch every possible bug. Good coding practices aside, programmers are human and make errors. You do your best to catch as many as you can, and that's all you can do. When you're a "consumer" of code, you look for an organization that seems to be doing this and use their stuff. There's no complete, proactive solution to bugs.

    The important thing is that you want someone "very reactive." An organization that acknowledges these flaws up-front, publicly announces vulnerabilities with a work-around until they're patched, and then corrects problems in a timely manner. Some companies are more like this than others.

    --
    Interested in a Flash-based MAME front end? Visit mame.danzbb.com
    1. Re:The answer is in the question... by cowscows · · Score: 2, Insightful

      It even goes beyond the code as well. Even a completely bug-free web application could be compromised through things like social engineering, an untrustworthy employee, or maybe even plain-old theft.

      We like to pretend that the internet is some how this brave new world, but it's still built on a physical infrastructure that exists in the real world, and is designed and maintained by people that live in the real world. In the real world, making something 100% secure is not really feasible, so we just do the best we can and make contingencies for when security fails. I have deadbolts on all of my doors and I lock them when I leave the house, but that doesn't mean that I don't have insurance in case someone busts through a window.

      There's not really a useful "insurance" system in place to cover my email account getting hijacked, but a smart consumer can take some steps to limit the potential damage. You can use different web services from different providers, so that the failures of one only affects a smaller portion of the services you use. You can avoid reusing passwords. You can be very careful with your personal information. Etc...

      It's all a pain in the ass, but then again, I don't particularly enjoy having to spend all that extra money for homeowners insurance. It's just a necessary part of life, in both the "real world" and the internet world.

      --

      One time I threw a brick at a duck.

  6. Dont use hosted services!!! by JeremyGNJ · · Score: 3, Insightful

    At the end of the day you can sight all kinds of flaws in Microsoft and closed source software. However, for as you're running that software LOCALLY on your computer, then you have the ability to take measures to protect yourself.

    If you're drinking the google-juice just because it's "cool" or you want to support them because they're "not evil", you're only doing yourself a dis-service.

    Keep your email local, dont save your passwords on a public "service", dont keep naked pictures of your girlfriend on your "G-Drive", etc etc etc

    Common Sense

  7. Trust nobody! by Per+Abrahamsen · · Score: 4, Insightful

    Neither can you if you hire people to implement it on your own company.

    And if you do it yourself, you can be sure that the security will not be higher than your own skill set.

    If you want to trust nobody, you might as well retreat to am isolated island somewhere, as you will be unable to function in a society. The key to functioning in a society isn't distrust, but to to be able to judge who to trust and who not to. Which is quite annoyingly mostly a social rather than a technical skill.

    ----

    I personally trust the people at Google more than I trust the people and products responsible for our internal mail solution (which is also available as web mail). Especially with regards to competence (as opposed to integrity). So I would love for us to switch.

  8. How is one protected in this case? by neurovish · · Score: 2, Insightful
    FTFA

    For such an attack to be successful, the victim just needs to visit a malicious website while logged in Google, e.g. by following a link from an incoming message This is something that can pretty much be said about any site where you login, and is really nothing new. If you're logged in someplace on one browser/profile, then anywhere you visit can potentially have the same rights as you on this site. With the prevalence of XSS and CSRF vulnerabilities around the internet these days, I don't consider any site "safe". This doesn't mean I suggest going all tinfoil hat, just be aware of what rights you currently have and take measures to protect the data that correspond how valuable the data is to you. If it's something really important, use a completely separate browser/instance for it; browse with Opera and read email with Firefox.

    It's really an extension of "don't log in as an admin" mentality to web-based services.
  9. Re:The real question: by vtcodger · · Score: 1, Insightful
    ***So that's a windows only exploit?***

    I'd guess not. Picasa on Linux is a Wine application. Wine, of necessity, has a (yechhh) Registry and Windows API calls to tinker with it. So a registry based attack on the Google web site might very well stand about the same chance as any other complex software under Wine on Linux. Might work, might not. Again, that's a guess. Like 99% of the other posts on Slashdot, this one isn't based on actual knowledge or anything like that.

    --
    You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
  10. Re:The real question: by Otter · · Score: 3, Insightful
    We could not possibly blame that on windows.

    That has absolutely nothing to do with Windows. It's poor design in a Windows/WINE-only application.

    --
    What I'm listening to now on Pandora...
  11. Re:Call me paranoid... by adnonsense · · Score: 2, Insightful

    ...and this "gmail only" browser is on the same computer, with the same IP as the one you use for general google searching? I think they'd figure that out.

    If "they" were really after me specifically, I'm sure they would. It's more a matter of not having all my stuff associated with the same Google cookie.

  12. what to do by Anonymous Coward · · Score: 3, Insightful

    what can you do, as a "normal" web user, to protect yourself? Ahhh... NoScript!

    Turn off client side scripting.

    OR

    echo "127.0.0.1 google.com" >> etc/hosts

    When I first started in web development it was hammered into us that client side scripting MUST degrade gracefully. What ever happened to that rule?

    I hate sites locked to "Web2.0" only! For the most part I will not use them. There are only a handful of URL's in my scripting white list, most of them my own sites.

    Yes, I use some client scripting, but it degrades properly.

  13. Goog is not the "great white hope" by Anonymous Coward · · Score: 1, Insightful

    Looks like Google will not be the FOSSie community's "great white hope" coming out to beat Microsoft and show them how it's done.

    Google is great and all, in a late 90's dot-bomb "new economy" way (I mean, who doesn't like free stuff?), but eventually the price of having all your personal information in Google's huge data mine is going to cost far more than it's worth.

  14. Flexcar/Zipcar work that way wonderfully! by Blahbooboo3 · · Score: 2, Insightful

    well, i use flexcar (rental car sharing), and it is WONDERFUL. I don't have to maintain it, deal with insurance, nada. I just use their car, and walk away when I am done with my rental.

  15. Keep Your Own Secrets by Doc+Ruby · · Score: 4, Insightful

    I don't let websites keep my credit card info, or any password other than the one needed to unlock their own site, or any other personal info that is valid outside their own realm, unless their service won't work otherwise.

    The Web would be a lot more secure if my browser had a keyring integrated with my own computer, and I kept my secrets on my own computer under my own control. When challenged by any server for a secret, my browser or other client SW I'm using should pull the secret from the keyring and supply it to the server. That service should let me use a master key from any remote terminal to query my own computer, over my home broadband or wherever I keep the secrets. All by a standard protocol that lets me just fill web forms (and other challenges) as I do now, possibly entering the master key and maybe an additional confirmation challenge to let the 3rd parties communicate, but otherwise just as transparent as just filling in the forms.

    If a 3rd party server is going to store my secrets, I want it to be my bank. I don't know why banks haven't gotten into this business already, after well over a decade watching their profits multiply from the Web, along with many risks. Maybe Google will push a key distribution protocol like this in partnership with some banks. That would also finally get Google into the payment business to challenge eBay's PayPal, which I hate precisely because its (mostly unregulated) global Internet bank is a monopoly, and I don't trust PayPal with my secrets. If Google does recover from this crack, they might be solid enough to trust.

    --

    --
    make install -not war

  16. Re:The real question: by sqrt(2) · · Score: 2, Insightful

    Too bad you posted AC. I would have friended you for that correct prediction.

    --
    If you build it, nerds will come. Soylentnews.org
  17. Re:The real question: by Anonymous Coward · · Score: 1, Insightful

    Only if you browse the net from wine too... my browser (iceweasel) doesn't know anything about that registry, nor should it

  18. Replace 'Google' with 'Microsoft' by I'm+Don+Giovanni · · Score: 3, Insightful

    I see many here making excuses for Google ("You'll never be safe with online service providers", "There's nothing Google can do", etc) and offering solutions ("Use Firefox with Noscript", etc). But I can't help but laugh because I know that if this were about Microsoft web services being exploited, the comments would be completely different. The number of comments would be at least five times greater than they are here and would be filled with gloating and screaming over Microsoft's "incompetence" and whatnot.

    You know that there is some truth in what I say.

    It looks to me that there are major holes in Google's services, and they need to be called out on it, not given excuses.

    --
    -- "I never gave these stories much credence." - HAL 9000
  19. You have it all wrong by Anonymous Coward · · Score: 1, Insightful

    According to Twitter, Microsoft is to blame for all of the problems in the history of the universe. Heck, all viruses that compromise the human immune system must be the fault of Microft according to twitter. Twitter is a nut case and everyone should treat him as such, no matter which OS he advocates for or against.

  20. what I WILL do to protect myself... by justdrew · · Score: 2, Insightful

    nothing. relax and wait for google to fix the problem, as they surely will. Everything has some vulnerabilities, but the odds of them targeting me out of millions of people is very low. so low it's not a risk I feel any need to worry about. The endless "security" mantra is bullshit, mostly used to whip clueless consumers into making various moves from or to some product. Really it's an iterative process, an arms race if you will. Anything can happen. your office or home can be broken into very easily too ya know. So what? If you're really so fucking concerned about your precious pictures being access through picasa, maybe you should just learn to burn them to a cd and mail them to people.

  21. Re:Easy to blame M$ by Ajehals · · Score: 2, Insightful

    The problem Microsoft have with this regard is that a) there *are* security issues with windows that simply do not occur elsewhere and popularity *is* an issue. Windows is less secure than its OSS counterparts when coupled with a user and an internet connection, this isn't just poor design or poor planning, much of it has to do with how applications use the Win32 API and the sheer complexity of the same. b) When a Windows exploit is identified, whether it is an Office issue, a OS issue, IE issue, a driver issue etc. (even a totally third party application issue) it is seen as a Microsoft issue (not an office team/explorer team etc..). In the OSS world an exploit is at most associated with whichever application it found contained in*, it is rarely seen as a *Linux* issue, and frankly that is fair, Linux is far more modular than windows (and as such (at least in places) less well integrated)

    As for twitter, I have to say its getting a little bit boring, both reading that everything is Microsoft's fault and the twitter bashing. twitter seems to have valid points sometimes and as such I wish people would respond with regard to the post rather than the person posting.

    Not that my wishing for things gets me anywhere!

    *Unless it is a study comparing open and closed source, in that instance whichever method is better for the study sponsor will prevail.

  22. "very *re*active"? by 6Yankee · · Score: 2, Insightful

    Very reactive is all well and good - but very proactive is better.

  23. Re:Ha ha, fanboy. by Macthorpe · · Score: 2, Insightful

    The trolling has really dropped in quality recently...

    --
    "It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien