Google Base launched with security hole

Google Inc. has patched a security problem with its Google Base that allowed attackers to steal sensitive information from users of the new content-hosting service.

The problem, which was patched within hours of its discovery earlier this week, allowed attackers to steal cookies and other information from Google Base users and also gave attackers a way to embed fraudulent forms within Google Base Web pages. This type of problem, called a cross-site scripting vulnerability, has also cropped up in Google's search service and in Yahoo Inc.'s mapping product.

Google Base (http://base.google.com/base/default), which was released in beta version on Wednesday, gives users a way to classify and post information like recipes or classified advertisements. Items that are listed there will then also appear at appropriate parts of Google's site, such as the Web index, the Froogle comparison shopping site and the local business directory.

The bug in Google Base was easy to find, and was due to "incompetent" programming on Google's part, according to Jim Ley, the U.K. computer expert who discovered the bug. "There’d obviously been no security testing whatsoever and there were trivially obvious [cross site scripting] holes in it," he wrote of Google Base, in a blog posting dated Wednesday. (http://jibbering.com/blog/?p=187)

Security experts have criticized Google in the past for being excessively secretive about what, if any, security procedures it uses to develop products. While rival Microsoft Corp. has gone to great lengths to publicly describe the steps it is taking to improve security in its software, Google has refused to talk about security, other than to confirm that it does have some employees who work in the area.

Google did not return calls seeking comment for this article.

The search giant's silence on the topic clearly irritated Ley, who said that Google didn't even send him an e-mail to acknowledge his initial report of the cross-scripting bug. "Google appear to have a complete silence approach to security, I guess they think what the public don’t know can’t worry them," he wrote on his blog.

Ley has discovered similar cross-scripting problems with Google's search service, (http://jibbering.com/2004/10/google.html) and in Yahoo Maps (http://jibbering.com/blog/?p=186).

These flaws show that companies like Yahoo Inc. and Google need to improve testing or risk losing public trust in their products, wrote Paul Mutton an Internet Services Developer with Netcraft Ltd. "The nature of the problems discovered by Ley provides fraudsters with the tools to create phishing sites with a good level of plausibility because the base URL would be that of a well-known brand - in this case Google or Yahoo," he wrote in a Friday posting to Netcraft's Web site.