Software developer Giorgio Maone offers a very good analysis in his Hackademics blog of which Google programs are flawed and who discovered them. He outlines four issues:
— A Google Search Appliance XSS flaw discovered by researcher MustLive, affecting almost 200,000 paying customers of the outsourced search engine and its users.
— A Picasa exploit discovered by researchers Billy Rios and Nate McFeters that leverages a combination of XSS, cross application request forgery, Flash same domain policy elusion and URI handler weaknesses to steal private pictures straight from the user’s local hard disk when he or she visits a malicious Web site.
— A simple yet impressive flaw — given the huge number of users involved — is one discovered by researcher beford in a Google Polls XSS that allows Google services to integrate the same functionality across multiple services. Apparently, it can be used to attack Search, Blogspot, Groups and Gmail. Two proof-of-concepts demonstrate how Google contacts and incoming Gmail messages can be stolen by those who exploit this one.
— An Urchin Login XSS disclosed by GNUCITIZEN’s Adrian Pastor, which could be exploited to compromise local Google Analytics installations.
“These vulnerabilities are surely being fixed at top speed, since Google is one of the most reactive organizations in this fight,” Maone writes. “But they’re nonetheless disturbing because they hit the very main player on the field, with the largest user base on the Web.”
Computer scientist Kurt Wismer writes in his Anti-Virus Rants blog that there are relatively simple ways for Google users to protect themselves against these types of flaws.
“What if you’re like me [and] you use more Google apps than just Gmail?” he asked in his blog entry. “What if you use Blogger for example, or Google Reader, or Google Notebook, or Google Groups, etc. If you’re like most people you use the same Google account for all of them — your gmail account. It’s convenient, you only need to remember one username and password, and when you visit an exploit page while still logged in to one of these other Google Web applications your Gmail account gets pwned because logging into one logs into all.
“Now, you could always hope Google fixes these problems before you get caught, or use tools like the noscript Firefox extension that should be able to help most of the time, but you might not realize that you can also use a non-Gmail Google account for those Web applications. Then, not only is it easier to stay logged out of Gmail while using the other Web applications, logging into the account used for those other applications will actually force you to log out of your Gmail account.”
He then outlines steps users can take in that direction.
I checked the Google security blog to see if they had anything to say about all this, and they didn’t. But if our coverage of the search giant in recent months is any indication, there’s reason for optimism. Google has shown in a number of ways that it’s taking security seriously. One thing that impresses me is that they just come out with security initiatives, without months of hype leading up to it. Some examples:
— Last week, Google unveiled a new fuzzing tool called Flayer.
— In May Google acquired security firm GreenBorder Technologies Inc., which specializes in sandbox technology to defend email and Web users from malware.
— In July, Google acquired security and compliance vendor Postini Inc. for $625 million in cash, promising to use the company’s technology to harden defenses around its popular line of hosted applications.
I think it’s safe to say they understand how tempting a target their tools are to the bad guys.
But in the final analysis, it’s up to users to use all these nifty Google tools with care. A good example is the use of Gmail. We’ve written time and time again about the dangers of Web-based email offerings and about the need for IT shops to have sound policies to govern how they can be used in the work place.
Mike Chapple, an IT security professional with the University of Notre Dame, wrote a decent tips column outlining the risks of such Web-based programs a couple years ago, and his points are still relevant today.
As dangers he cited the following:
1. Failure to secure Web-based email sites.
2. Inadequate policies regarding employee access to external Web-based email.
3. Inadequate policies regarding Web-based access to corporate email.
4. Bypassing corporate content filters.
5. Use of third-party email services.
While his advice is specific to email, it still illustrates an important lesson for any IT shop that allows the use of Google programs:
There must be rules for when and how these programs can be used, and the IT environment must be equipped with layers of security technology that will blunt the impact of any Google-related exploits.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at firstname.lastname@example.org.