Slashdot Mirror

← Back to Stories (view on slashdot.org)

GoogHOle Exploits GMail, Picasa and 200K Other Sites

Posted by CmdrTaco on from the hate-when-that-happens dept.

Giorgio Maone writes "Multiple Google-targeted exploits disclosed in the past 3 days could compromise your GMail account, steal your pictures from Picasa or impersonate you on almost 200,000 big sites which outsourced their search engines (vulnerabilities included in the price). If even Google, a very reactive company when web security matters, does face this kind of problems, how serious is the threat and what can you do, as a "normal" web user, to protect yourself?"

11 of 167 comments (clear)

  1. Not really clear by Tribbin · · Score: 2, Interesting

    Is it completely in their hands?

    How do I know if I'm vulnerable?

    Can I do anything to protect myself?

    --
    If you mod this up, your slashdot background will turn into a beautiful sunset!
  2. Very few details. by Poromenos1 · · Score: 5, Interesting

    The article is very low on details. I read it and I'm still not sure how it works, whom it affects and what I can do to protect myself (obviously, since I don't know how it works).

    It would have been nice if they went into some more detail for technical users.

    --
    Send email from the afterlife! Write your e-will at Dead Man's Switch.
    1. Re:Very few details. by empaler · · Score: 2, Interesting

      Yeah, those NoScript fatcats most have bribed CmdrTaco to post this. The horror!

      Seriously, stop watering down the term 'slashvertisment'. It's tossed around enough as it is.

  3. Re:The real question: by MrMr · · Score: 5, Interesting

    Just quoting from the original so called 'Google' messages

    If you've read our previous post Say Cheese! then you know that Google's Picasa registers the picasa:// URI in the Windows registry and it is possible to abuse this registered URI through a Cross-Site Scripting exposure to steal a victim's images.

    So that's a windows only exploit?
    We could not possibly blame that on windows.

  4. Call me paranoid... by adnonsense · · Score: 4, Interesting

    FTFA:

    For such an attack to be successful, the victim just needs to visit a malicious website while logged in Google, e.g. by following a link from an incoming message

    ... but I already use a separate SeaMonkey browser profile for my GMail account (don't want it being associated with my normal Google searches), and access untrusted URLs using another browser running under a different user. As a matter of habit (I do web-based stuff and I'm used to having several different browsers open). Probably not 100% foolproof, but helps me sleep easier at night.

  5. Re:The real question: by empaler · · Score: 3, Interesting

    It's pretty much fair game since Microsoft more or less took credit for Google's success recently...

  6. consider a vending machine by circletimessquare · · Score: 4, Interesting

    perhaps one of the simplest examples of a program involving transactions and user interaction

    now consider the number of hacks you can use to exploit a vending machine (granted many are physical hacks, but you could call that analogous to social engineering hacks involving "real" software)

    now, if something as simple and as straightforward as a vending machine can be exploited, then the obvious conclusion is that:

    we should not express shock that google can be hacked, but we should express shock that any of us expected it couldn't be hacked

    any computer program of sufficient complexity will be hacked. not could be. will be

    and the internet is well into the zone of "sufficient complexity"

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  7. Re:If you run Firefox, install NoScript plugin by suv4x4 · · Score: 4, Interesting

    If you run Firefox, install NoScript plugin

    Since Firefox users like to push forward NoScript a lot as some safety precaution (I run it for 2 months, and finally got fed up with enabling virtually any site I visit, so it operates, what's the point), I read a very interesting article about the embeddable nature of IE.

    You see, if Firefox can play WMP files on your machine (Windows machine) then every time you open a page (or video) in Firefox you potentially open IE, since WMP can open pages directly inside, and it uses IE regardless of your preferences.

    Similar situation occurs with IM-s like Skype and ICQ.

    As another commenter said above, security is illusion. Pure and simple.

  8. The Mac Method by clang_jangle · · Score: 2, Interesting

    I handle most third party apps for the Mac (which are usually on a .dmg) like this :
    (1) Download .dmg to ~/noinstall/.
    (2) when I wish to use that app I mount the image and use app from the temporarily mounted image.
    (3) When done using app unmount .dmg.
    (4) Profit!
    Of course there are quite a few GNU apps on my Mac which were built and installed from source, but I've never had a reason to feel leery of those. All the G-apps and all third party proprietary apps are in ~/noinstall. Always knew that would pay one day...

    --
    Caveat Utilitor
  9. Re:Easy to blame M$ by Macthorpe · · Score: 4, Interesting

    Of course, exploitable programs are all Microsoft's fault - which must be why the remote root exploits for Quake 1 and 2 for Linux must be all Linus' fault!

    Let's be honest, exploitable applications are OS independent. Though I guess honesty never really comes into it with you, hmm?

    --
    "It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
  10. So what about their web office suite by InsaneGeek · · Score: 3, Interesting

    How about people who were looking to move their internal office applications to google (there were hundreds of people here on Slashdot saying they were planning on doing just that), are their critical private documents at risk or not? I've never been fond of software as a service for internal business functions, and this seems like another concern point against it.