Friday, January 12, 2007

Google Security Hole Allows Account Hijacking

It’s your worst nightmare – someone reads parts of your Google emails, views your docs, modifies your spreadsheets, checks out your reading habits on the Google personalized homepage or Google Reader, and goes through your search history. Yet, by making use of a new Google security hole, Tony Ruscoe was able to do all that with my Google account.

Tony’s not a malicious hacker of course (in fact, the first thing he did was inform Google Security!), but he found a loophole in a new feature Google rolled out recently. Using a proof of concept script targeting this loophole – which I can detail once it’s fixed –, all Tony needed to do was make a user who’s logged into their Google Account visit a page of his, which happened to be on a “trustworthy” google.com sub-domain. I visited Tony’s page, which sent my Google cookies to Tony, which in turn enabled him to:

Get into my Google Docs & Spreadsheets application and read and modify documents I saved there

Read subjects from my Gmail inbox, as well as the first few words of these emails, by adding a Gmail module to the Google Personalized Homepage

View my Google Accounts page

Enter my Google Reader

Read my private Google Notebook

View my complete Google search history (for as long as I had the search history feature enabled in Google)

This is by far not the end of services Tony was able to see in our brief tests. What he specifically was not able to do was to read my full emails, check my Calendar events, or change my Google Account password (which would’ve given him full access to anything, basically).

Now, the vulnerability in question is a very special kind, and Tony, by “claiming” this loophole, also blocked it for other abusers. This means that for the sake of this case, even though Google didn’t yet fix the hole, there is nothing to worry about (except that someone might find more holes in the vicinity of this bug). However, I am posting on this because it’s a worthwhile reminder that no company’s security is ever completely cracker-proof; in very rare circumstances, whatever you saved in Google, or entered in Google, can escape your control and land in the wrong hands. Or, as Tony phrased it on his proof of concept page, “Think yourself lucky that I wasn’t that evil!”

[Thanks Tony!]

>> More posts


