Google Base launched with security hole

Free Newsletters

Log-in | Register

Google Base launched with security hole Cross-site scripting vulnerability fixed early Friday
By Robert McMillan, IDG News Service November 18, 2005			E-mail Printer Friendly Reprints Slashdot It!

Google Inc. has patched a security problem with its Google Base that allowed attackers to steal sensitive information from users of the new content-hosting service.

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Microsoft

The problem, which was patched within hours of its discovery earlier this week, allowed attackers to steal cookies and other information from Google Base users and also gave attackers a way to embed fraudulent forms within Google Base Web pages. This type of problem, called a cross-site scripting vulnerability, has also cropped up in Google's search service and in Yahoo Inc.'s mapping product.

Google Base (http://base.google.com/base/default), which was released in beta version on Wednesday, gives users a way to classify and post information like recipes or classified advertisements. Items that are listed there will then also appear at appropriate parts of Google's site, such as the Web index, the Froogle comparison shopping site and the local business directory.

The bug in Google Base was easy to find, and was due to "incompetent" programming on Google's part, according to Jim Ley, the U.K. computer expert who discovered the bug. "There’d obviously been no security testing whatsoever and there were trivially obvious [cross site scripting] holes in it," he wrote of Google Base, in a blog posting dated Wednesday. (http://jibbering.com/blog/?p=187)

Security experts have criticized Google in the past for being excessively secretive about what, if any, security procedures it uses to develop products. While rival Microsoft Corp. has gone to great lengths to publicly describe the steps it is taking to improve security in its software, Google has refused to talk about security, other than to confirm that it does have some employees who work in the area.

Google did not return calls seeking comment for this article.

The search giant's silence on the topic clearly irritated Ley, who said that Google didn't even send him an e-mail to acknowledge his initial report of the cross-scripting bug. "Google appear to have a complete silence approach to security, I guess they think what the public don’t know can’t worry them," he wrote on his blog.

Ley has discovered similar cross-scripting problems with Google's search service, (http://jibbering.com/2004/10/google.html) and in Yahoo Maps (http://jibbering.com/blog/?p=186).

These flaws show that companies like Yahoo Inc. and Google need to improve testing or risk losing public trust in their products, wrote Paul Mutton an Internet Services Developer with Netcraft Ltd. "The nature of the problems discovered by Ley provides fraudsters with the tools to create phishing sites with a good level of plausibility because the base URL would be that of a well-known brand - in this case Google or Yahoo," he wrote in a Friday posting to Netcraft's Web site.

E-mail

Printer Friendly

Reprints

Slashdot It!

TOP NEWS:

» Update: HP in talks to buy EDS for up to $13 billion
Deal would strengthen HP's competitive position against IBM, but still would leave it about $10 billion short of IBM's global services revenue

» SOA Software buys LogicLibrary
Combination links governance automation, repository technologies

» Sun to clarify JavaFX open-source plan later this year
Sun had promised that JavaFX would be open source, but a FAQ on Sun's site indicates that only parts of the RIA development family will be open source

» Microsoft readies service packs for dev tools
Improvements to Visual Studio 2008 include database and Office 2007 Ribbon support

» Cisco's TelePresence gets personal
The high-definition virtual meeting system will be available at a less expensive entry price for midsized businesses later this year

» Developers' role shifting from apps to platforms
Untrained workers are moving into app dev space, pushing career developers into the platform space, a Sun engineer noted at JavaOne

Virtualization: A Step by Step Approach to Success
Your virtual machines can be up and running in a matter of minutes. HP and Citrix have integrated XenServer with HP ProLiant servers and management tools, powered by hardware-assisted Intel Virtualization Technology to enable high- performance, cost-savings solutions for server consolidation and disaster recovery. Sponsor: HP

» Click here to view this Webcast

The Data Protection You've Been Looking For
Enterprise data is of supreme importance. If you can't find it quickly, it's worthless. If you lose it, it's a crisis. This IT Strategy Guide explores how to keep your data safe.

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

Advance Your Storage Virtualization - It's your new dynamic duo. This Whitepaper will help you learn to create new virtual machines and storage volumes virtually...
Resolve Capacity Bottlenecks and Enhance Your Virtual Environment - Virtual machine sprawl is causing capacity bottlenecks in data centers. Therefore, it is essential to quickly identify ...
Is your smaller organization ready for High Availability? - Until recently, high availability solutions were reserved for large enterprises. Now that high availability is dramatically...
Is system maintenance doing more harm than good? - Sites that were able to accommodate periods of downtime for backups and system maintenance are finding that this window ...
Virtual Test Lab Automation: Manage development infrastructure - How can organizations provision and manage the development, test, and build systems needed by globally distributed development...
Improve Resource Utilization and Lower Operating Costs - Virtualization is becoming more important in the data center, and to the small business. Better utilization of hardware...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

FIND PRODUCTS AND COMPANIES

» COMPLETE PRODUCT GUIDE

TECHNOLOGY INDEX

• Applications
• Application Development
• Security
• Networking
• Wireless
• Platforms
• Hardware
• Data Management
• Storage
• Web Services
• Business
• Telecom
• Professional Services
• Standards

TECH WATCH

What's the 411 on GOOG-411?
Just as Google has become synonymous with "performing a Web search," 411 is understood to mean "information" -- as in "what's the 411?" I was thus surprised to discover, from a billboard, no less, that the king of search is taking on the ...

Apple HTML source reveals 'iPhone Extreme'
"This one's a stretch..." reports AppleInsider. Um, yeah. Reporting on HTML code sightings of product names could be called a stretch, but iPhone Extreme has a ring to it. Now, that sounds like the product Apple should have released first, rather ...

COLUMNISTS

Unified under law

(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...

» MORE COLUMNISTS

MORE INFOWORLD BLOGS

Open Sources

Product Management
When I joined MySQL four years ago, there was quite a lot of debate about product management. We didn't actually have ...

Zero Day

Botnet herders tending smaller flocks
New research backs up the theory that botnet operators are keeping their networks smaller in a continued effort to keep ...

• Advice Line
• Database Underground
• The Deep End
• Enterprise Mac
• Geeks in Paradise
• Grid Meter
• The Gripe Line
• InfoWorld Daily
• Inside IT
• IT Troubleshooter
• ITXtreme
• Open Sources
• ProdBlog
• Real World SOA
• Reality Check
• Security Adviser
• SMB IT
• The Storage Network
• Tech Watch
• Virtualization Report
• Zero Day

RESOURCE CENTER	advertisement
Ads by techwords beta See your link here

GOVERNMENT IT & POLICY
•	'If you don't go after the network, you're never going to stop these guys. Never.'
•	From the State Department, All the News for Inquiring Minds
•	TechPresident, the Internet Citizenry's New Consensus Taker

Sponsored Technology Links
Vision Solutions - Is your smaller organization ready for High Availability? Vision Solutions - Is system maintenance doing more harm than good? HP - NEW HP LaserJet P4014n printer Starting at $699 after $100 IS. Rackspace - Fanatical Support Promise: Live Support 24x7x365 HP - HP LaserJet M3035 MFP series Starting at $1,599. SHOP NOW Collabnet - Virtual Test Lab Automation: Manage development infrastructure HP - StorageWorks All-in-One Storage Systems. hp.com/betterstorage HP - Improve Resource Utilization and Lower Operating Costs Ipswitch - WhatsUp Gold V12 - network management & monitoring for any size network. HP - Webcast: 5 Things You Need to Know About Storage Virtualization Xerox - Typhoon 8860: Enter to win a Xerox PhaserTM 8860 network color printer! BEA - Webcast: Dialing up Agility with Business Transformation Verisign - Protect Your Data with SSL HP - Speed, agility, flexibility - The HP BladeSystem c-Class. InterSystems - Development, integration, BPM, and BAM together in Ensemble Citrix - Need simple, low cost server virtualization? AMD - We're putting more and more of our energy into saving IT Xerox - Enter to win a Xerox Phaser(TM) 6180 network color printer! Mindreef - Key Strategies For SOA Testing Citrix - Go green.Virtualize servers with Citrix XenServer(TM) - FREE Citrix - Instant server virtualization. Citrix XenServer(TM) - Free!		HP - Virtualization: A Step by Step Approach to Success Microsoft - Tech-Ed 08\|Microsoft's largest tech conference\|June 08 in Orlando Neterion - The Missing Piece of Virtualization Seagate - Maxtor OneTouch(tm) 4 Mini backs up your PC on the go Box.net - Upgrade Your Classic Collaboration Tools Overland Security - The Data Protection You've Been Looking For Lefthand Networks - Free White Paper on Matching Server & Storage Virtualization Vkernel - Resolve Capacity Bottlenecks and Enhance Your Virtual Environment Tripwire - Secure your virtual and physical environments with the same software. Crosscheck Networks - Accelerate Your SOA Projects Nokia - Restore Your Mobile Devices With One Click Oracle - The Power of Two with SOA and BPM Microsoft - Microsoft Forefront security products for business. Learn more. Oracle - Fueling the Responsive Enterprise Microsoft - Meet Windows Server 2008. The server unleashed. Microsoft - Tech-Ed 08\|Microsoft's largest tech conference\|June 08 in Orlando Microsoft - {Open Source} Heroes Happen Here Xerox - Enter to win a Xerox Phaser(TM) 6360 network color printer! Vizioncore - Vizioncore has solutions for virtually any virtual need.

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS CAREERS IT EXEC-CONNECT	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist