Facebook would probably just consider this a feature, but the rest of us will definitely consider this a big security hole. The creator of http://guntada.blogspot.com (don’t visit that site just yet) emailed us this morning to explain.
If you’re already logged in to any Google account (Gmail, etc.), and visit that site, he’s harvested your Google email. And proves it by emailing you immediately.
And it even works in “incognito” mode (also known as porn mode).
What is the exploit? We don’t know, and Google has yet to respond to us about it. We note that the site doing the exploiting is on Google’s own blogging platform. One developer we spoke with was confused as well, saying:
i have no idea what this is exploiting but there’s a decent chance it has something to do with Friend Connect and the way it passes data between iFrames (ie yes, it very well could be opensocial related). whatever is going on it’s an extremely serious security and privacy violation and i am confident google will address this in moments counted in minutes.
i can’t recall ever having seen anything like this on a major IdP’s website. it’s scary stuff.
If you insist on trying this yourself (hey, I did), the email to you will likely be in your spam filter.
This isn’t a particularly dangerous exploit, but it sure is something a lot of people would love to have on their own sites. The ability to harvest emails from anyone already signed into Google, not to mention just see exactly who’s visiting the site, is extremely valuable. See the second comment thread here
for a related issue with App Engine a month ago.
Update: The site is now down. Here’s what it looked like:
Update 2: Email from Vahe, the man behind this:
Hi Mr. Arrington,
I see you have already shared the news. It’s good that google got it down, I really don’t want people to know about how that was done (if Google contacts I will definitely tell them – they just don’t answer my emails). Problem relies solely on Google.
Problem is I asked a lot of people, and most of them don’t really understand and care about this kind of things and big companies act like they all really protect our privacy and such, but they see that people don’t care and don’t do anything really.Regards,
Vahe G. (Armenian 21yrs guy whom Google doesn’t wanted to even talk to)Update 3: From Google: “We take potential security issues very seriously, and our team is actively investigating this one. We’ll share more information soon.”
Website: google.com Location: Mountain View, California, United States Founded: September 7, 1998 IPO: August 19, 2004 Google provides search and advertising services, which together aim to organize and monetize the world’s information. In addition to its dominant search engine, it offers a plethora of online tools and platforms including:… Learn More
Information provided by CrunchBase
Saturday, November 20, 2010
TechCrunch: Whoa, Google, That’s A Pretty Big Security Hole
via techcrunch.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment