As the reporter of the first bug reported in the register article, I certainly didn't go looking for it because of google, it was trivial to find, I found it 2 1/2 years ago (you can see a usenet post from 2002 which describes it, when XSS into google didn't matter much, phishing was new, and google had no data)
The reason we're getting this deluge of security flaws in google now is simply because people are now looking, they're easy to find, the XSS flaws are trivial (like ignoring you're encode user input before writing it into the page)
The issues are Googles lack of QA and security testing - do you think it's reasonable to release an HTML product which searhed personal data on peoples machines without having a test which provided some javascript as the search term? I think the failure to do that is incompetence of a level that makes MS's old security look good.
Yes, Google have fixed the flaws quickly, that's because the flaws are trivially easy to fix - html encoding a string isn't hard, even in python.
I agree it's googles responsibility, and some of the flaws that are th ere aren't the bugs of people who understand the issues - one of the google desktop bugs is because a search for <script>alert(1)</script> is written straight into the source of the document unencoded!
That's not a bug of developers who know what they're doing, or have good security procedures in place. I think they need a lot of publicity so like MS can start getting a real culture of security in.
Slashdot Mirror
As the reporter of the first bug reported in the register article, I certainly didn't go looking for it because of google, it was trivial to find, I found it 2 1/2 years ago (you can see a usenet post from 2002 which describes it, when XSS into google didn't matter much, phishing was new, and google had no data)
The reason we're getting this deluge of security flaws in google now is simply because people are now looking, they're easy to find, the XSS flaws are trivial (like ignoring you're encode user input before writing it into the page)
The issues are Googles lack of QA and security testing - do you think it's reasonable to release an HTML product which searhed personal data on peoples machines without having a test which provided some javascript as the search term? I think the failure to do that is incompetence of a level that makes MS's old security look good.
Yes, Google have fixed the flaws quickly, that's because the flaws are trivially easy to fix - html encoding a string isn't hard, even in python.
That was mine, that one has since been fixed http://jibbering.com/2004/10/google.html -I know of a couple of others though which have yet to go public.
I agree it's googles responsibility, and some of the flaws that are th ere aren't the bugs of people who understand the issues - one of the google desktop bugs is because a search for <script>alert(1)</script> is written straight into the source of the document unencoded!
That's not a bug of developers who know what they're doing, or have good security procedures in place. I think they need a lot of publicity so like MS can start getting a real culture of security in.
That was mine, that one has since been fixed http://jibbering.com/2004/10/google.html-Iknowofac oupleofothersthoughwhichhaveyettogopublic.Iagreeit 'sgooglesresponsibility,andsomeoftheflawsthatareth erearen'tthebugsofpeoplewhounderstandtheissues-one ofthegoogledesktopbugsisbecauseasearchforalert(1) is written straight into the source of the document unencoded!
That's not a bug of developers who know what they're doing, or have good security procedures in place.
I think they need a lot of publicity so like MS can start getting a real culture of security in.