GoogHOle Exploits GMail, Picasa and 200K Other Sites

Giorgio Maone writes "Multiple Google-targeted exploits disclosed in the past 3 days could compromise your GMail account, steal your pictures from Picasa or impersonate you on almost 200,000 big sites which outsourced their search engines (vulnerabilities included in the price). If even Google, a very reactive company when web security matters, does face this kind of problems, how serious is the threat and what can you do, as a "normal" web user, to protect yourself?"

Very few details.

[Poromenos1]

The article is very low on details. I read it and I'm still not sure how it works, whom it affects and what I can do to protect myself (obviously, since I don't know how it works).

It would have been nice if they went into some more detail for technical users.

Safety is an Illusion

[ChaoticCoyote]

You'll never be safe.

Complex software designed for diverse interactions will always be vulnerable to some kind of attack, even if it's as simple as someone walking out of a data center with a thumb drive in their pocket. Almost every vulnerability stems from a "feature" implemented to make software easier/flashier/useful. Flexibility and expansiveness carry with them the price of vulnerability, and pretending otherwise is to wear blinders.

Of course developers should do their best to prevent security problems -- but there is only so much that can be done when you also need to implement Really Cool Stuff. Every door you make is a door than can be kicked in, no matter how good your locks. The real world has never offered perfect security because it can't -- why expect engineered items to be safe from all evil?

Treat software and computers with caution, like walking through a major city's downtown at midnight. Sure, it's dangerous at times -- but it can also be exciting. Just don't pretend that danger doesn't exist...

Re:The real question:

[MrMr]

Just quoting from the original so called 'Google' messages

If you've read our previous post Say Cheese! then you know that Google's Picasa registers the picasa:// URI in the Windows registry and it is possible to abuse this registered URI through a Cross-Site Scripting exposure to steal a victim's images.

So that's a windows only exploit?
We could not possibly blame that on windows.

Re:Nothing...

[Silver+Sloth]

But I didn't build my car, my house, amy of my white goods, in fact 99% of what I use every day was built by third parties. I can and should demand that the good I purchase reach certain standards - in the UK this is enforced by law.

However, anything I accept for free, anything where there isn't some sort of agreed contract between my and the supplier, then caveat emptor (pun intended)