Google Closes Security Holes in Google Base Security

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Google Closes Security Holes in Google Base    Security

Google has fixed a security hole in Google Base that would have exposed
sensitive information stored by users of Google's services. The cross
site scripting vulnerabilities discovered by British Computer Scientist
Jim Ley would allow an attacker to steal cookies and other information
from users, while providing fraudsters with the facility to publish
their own forms and receive input using an apparently reassuring Google
Base URL.

Google Base will spearhead the search giant's entry into classified
advertising and payment processing, where it will compete with
established offerings from eBay and CraigsList. If it succeeds, Google
Base will likely accelerate a trend which has seen a growing percentage
of advertising dollars shift to the web and away from television,
magazines and especially newspapers, which rely heavily on classified
ads for revenue. Strong application security is important to gain user
confidence in the service, as Google Base is eventually expected to
integrate a micropayment system (presumably Google Payments).

Google's move towards a single Google Account for multiple services
exacerbates the problem, as the same account used by the Google Base
site can also be used to access financially sensitive services such as
AdWords and AdSense, and Google's GMail webmail service.

Ley, who also recently found a similar security vulnerability in Yahoo
Maps, says that there is a pervasive problem with companies releasing
new applications on to the Web with easy-to-find vulnerabilities still
present. Too little thought is given to the consequences of such
action, which in the case of an identity or data theft scenario on a
very widely used service could be severe for a correspondingly large
number of people.

The nature of the problems discovered by Ley provides fraudsters with
the tools to create phishing sites with a good level of plausibility
because the base URL would be that of a well-known brand - in this case
Google or Yahoo. This is the same in principle to that scenario whereby
fraudsters try to find open redirects or cross site scripting
vulnerabilities on bank sites to improve the authenticity of their
frauds. The importance of testing to remove application vulnerabilities
is proportional to the level of trust the public places in the service
and the impact of this trust being broken.

Netcraft provides a range of services for companies to eliminate these
kinds of errors from their systems, including comprehensive application
testing, training for developers and designers of web based
applications, and an service aimed specifically at detecting and
reporting Open Redirects.

Posted by Paul Mutton at November 18, 2005 09:04 AM |

Site Timeline