Slashdot Mirror

← Back to Stories (view on slashdot.org)

GoogHOle Exploits GMail, Picasa and 200K Other Sites

Posted by CmdrTaco on from the hate-when-that-happens dept.

Giorgio Maone writes "Multiple Google-targeted exploits disclosed in the past 3 days could compromise your GMail account, steal your pictures from Picasa or impersonate you on almost 200,000 big sites which outsourced their search engines (vulnerabilities included in the price). If even Google, a very reactive company when web security matters, does face this kind of problems, how serious is the threat and what can you do, as a "normal" web user, to protect yourself?"

14 of 167 comments (clear)

  1. The real question: by Anonymous Coward · · Score: 4, Funny

    How do we blame this on Microsoft?

    1. Re:The real question: by MrMr · · Score: 5, Interesting

      Just quoting from the original so called 'Google' messages

      If you've read our previous post Say Cheese! then you know that Google's Picasa registers the picasa:// URI in the Windows registry and it is possible to abuse this registered URI through a Cross-Site Scripting exposure to steal a victim's images.

      So that's a windows only exploit?
      We could not possibly blame that on windows.

  2. Very few details. by Poromenos1 · · Score: 5, Interesting

    The article is very low on details. I read it and I'm still not sure how it works, whom it affects and what I can do to protect myself (obviously, since I don't know how it works).

    It would have been nice if they went into some more detail for technical users.

    --
    Send email from the afterlife! Write your e-will at Dead Man's Switch.
  3. If you run Firefox, install NoScript plugin by elwinc · · Score: 4, Informative

    According to the article, exploint uses Cross-site scripting, also known as XSS. There is a firefox plugin called NoScript that limits cross site scripts. The article points you to http://noscript.net/features#xss which describes the anti-XSS protection of noscript. The noscript pages suggests that you only load firefox plugins from addons.mozilla.org and sends you to https://addons.mozilla.org/en-US/firefox/addon/722 where you can download noscript.

    --
    --- Often in error; never in doubt!
    1. Re:If you run Firefox, install NoScript plugin by suv4x4 · · Score: 4, Interesting

      If you run Firefox, install NoScript plugin

      Since Firefox users like to push forward NoScript a lot as some safety precaution (I run it for 2 months, and finally got fed up with enabling virtually any site I visit, so it operates, what's the point), I read a very interesting article about the embeddable nature of IE.

      You see, if Firefox can play WMP files on your machine (Windows machine) then every time you open a page (or video) in Firefox you potentially open IE, since WMP can open pages directly inside, and it uses IE regardless of your preferences.

      Similar situation occurs with IM-s like Skype and ICQ.

      As another commenter said above, security is illusion. Pure and simple.

  4. Safety is an Illusion by ChaoticCoyote · · Score: 5, Insightful

    You'll never be safe.

    Complex software designed for diverse interactions will always be vulnerable to some kind of attack, even if it's as simple as someone walking out of a data center with a thumb drive in their pocket. Almost every vulnerability stems from a "feature" implemented to make software easier/flashier/useful. Flexibility and expansiveness carry with them the price of vulnerability, and pretending otherwise is to wear blinders.

    Of course developers should do their best to prevent security problems -- but there is only so much that can be done when you also need to implement Really Cool Stuff. Every door you make is a door than can be kicked in, no matter how good your locks. The real world has never offered perfect security because it can't -- why expect engineered items to be safe from all evil?

    Treat software and computers with caution, like walking through a major city's downtown at midnight. Sure, it's dangerous at times -- but it can also be exciting. Just don't pretend that danger doesn't exist...

    --
    All about me
  5. Call me paranoid... by adnonsense · · Score: 4, Interesting

    FTFA:

    For such an attack to be successful, the victim just needs to visit a malicious website while logged in Google, e.g. by following a link from an incoming message

    ... but I already use a separate SeaMonkey browser profile for my GMail account (don't want it being associated with my normal Google searches), and access untrusted URLs using another browser running under a different user. As a matter of habit (I do web-based stuff and I'm used to having several different browsers open). Probably not 100% foolproof, but helps me sleep easier at night.

  6. The answer is in the question... by blueZ3 · · Score: 4, Insightful

    If even Google, a "very reactive" company faces these issues, what can be done? The answer: Nothing can be done.

    There is no way (unless you're writing something with hundreds, rather than thousands of lines of code) that every code path is going to be audited carefully enough to catch every possible bug. Good coding practices aside, programmers are human and make errors. You do your best to catch as many as you can, and that's all you can do. When you're a "consumer" of code, you look for an organization that seems to be doing this and use their stuff. There's no complete, proactive solution to bugs.

    The important thing is that you want someone "very reactive." An organization that acknowledges these flaws up-front, publicly announces vulnerabilities with a work-around until they're patched, and then corrects problems in a timely manner. Some companies are more like this than others.

    --
    Interested in a Flash-based MAME front end? Visit mame.danzbb.com
  7. Re:Nothing... by Silver+Sloth · · Score: 5, Insightful

    But I didn't build my car, my house, amy of my white goods, in fact 99% of what I use every day was built by third parties. I can and should demand that the good I purchase reach certain standards - in the UK this is enforced by law.

    However, anything I accept for free, anything where there isn't some sort of agreed contract between my and the supplier, then caveat emptor (pun intended)

    --
    init 11 - for when you need that edge.
  8. Trust nobody! by Per+Abrahamsen · · Score: 4, Insightful

    Neither can you if you hire people to implement it on your own company.

    And if you do it yourself, you can be sure that the security will not be higher than your own skill set.

    If you want to trust nobody, you might as well retreat to am isolated island somewhere, as you will be unable to function in a society. The key to functioning in a society isn't distrust, but to to be able to judge who to trust and who not to. Which is quite annoyingly mostly a social rather than a technical skill.

    ----

    I personally trust the people at Google more than I trust the people and products responsible for our internal mail solution (which is also available as web mail). Especially with regards to competence (as opposed to integrity). So I would love for us to switch.

  9. consider a vending machine by circletimessquare · · Score: 4, Interesting

    perhaps one of the simplest examples of a program involving transactions and user interaction

    now consider the number of hacks you can use to exploit a vending machine (granted many are physical hacks, but you could call that analogous to social engineering hacks involving "real" software)

    now, if something as simple and as straightforward as a vending machine can be exploited, then the obvious conclusion is that:

    we should not express shock that google can be hacked, but we should express shock that any of us expected it couldn't be hacked

    any computer program of sufficient complexity will be hacked. not could be. will be

    and the internet is well into the zone of "sufficient complexity"

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  10. Re:Nothing... by aaronl · · Score: 4, Insightful

    This is true, however, there is one very large difference between Google and everything that you listed. While Google build the apps, similar to case of your car, house, etc, they are also operating and maintaining the product. The car manufacturer doesn't *run* your car, or maintain it. If it break, you go somewhere and pay a different third party to fix it, or you fix it yourself. In Google's case, they have your car, and keep it running, and they come around and drive you places when you want them to.

  11. Keep Your Own Secrets by Doc+Ruby · · Score: 4, Insightful

    I don't let websites keep my credit card info, or any password other than the one needed to unlock their own site, or any other personal info that is valid outside their own realm, unless their service won't work otherwise.

    The Web would be a lot more secure if my browser had a keyring integrated with my own computer, and I kept my secrets on my own computer under my own control. When challenged by any server for a secret, my browser or other client SW I'm using should pull the secret from the keyring and supply it to the server. That service should let me use a master key from any remote terminal to query my own computer, over my home broadband or wherever I keep the secrets. All by a standard protocol that lets me just fill web forms (and other challenges) as I do now, possibly entering the master key and maybe an additional confirmation challenge to let the 3rd parties communicate, but otherwise just as transparent as just filling in the forms.

    If a 3rd party server is going to store my secrets, I want it to be my bank. I don't know why banks haven't gotten into this business already, after well over a decade watching their profits multiply from the Web, along with many risks. Maybe Google will push a key distribution protocol like this in partnership with some banks. That would also finally get Google into the payment business to challenge eBay's PayPal, which I hate precisely because its (mostly unregulated) global Internet bank is a monopoly, and I don't trust PayPal with my secrets. If Google does recover from this crack, they might be solid enough to trust.

    --

    --
    make install -not war

  12. Re:Easy to blame M$ by Macthorpe · · Score: 4, Interesting

    Of course, exploitable programs are all Microsoft's fault - which must be why the remote root exploits for Quake 1 and 2 for Linux must be all Linus' fault!

    Let's be honest, exploitable applications are OS independent. Though I guess honesty never really comes into it with you, hmm?

    --
    "It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien