Well, maybe not so much. However, Google has been pretty light on the keys in fixing a cross-scripting bug that leads to some pretty serious consequences for us, the end-user. The flaw in the handling of the code can compromise our very online privacy that is being taken from us at a snails pace as time goes on. The term is 'Phishing' and it is spreading online like an epidemic of Biblical proportions.
According to PhishTank, there were approximately 8,139 valid phishes online so far this year alone that they've counted - we're estimating thats just the tip of the iceberg and we've only just recently passed the halfway mark in this year 2007. Phishing demographics are being collected by numerous government agencies, but little in way of litigation and lawmaking has been done to combat these online scamsartists. So that leaves the job to the private sector workforce, researchers such as our good friend Robert (RSnake - ha.ckers.org) who has discovered an error in Google's gmodules website that allows for cross-domain scripting which is subject to code-injection and has been partly associated with an inferior tagging system which is universally.
As his article explains, which was based on direct correspondence from Google themself after his disclosure of the issue to them, he is successfully capable of injecting code into their website's url which allows him to manipulate the page's presentation - in this case, it is only proclaiming "XSS". Unfortunately, more devious minds could easily put this type of vulnerability to work to gain Social Security Number/Information for U.S. citizens, identities, credit card numbers or even redirect a user to a different website altogether, potentially ruining the financial and privacy security/solidarity of people's lives. To compound the issue, the way the site has been designed to support this functionality, a change such as this could completely alter the operating characteristics of the site itself. The problem resides in the lack of validation on the part of Google and they just seemed determined not to listen.
This type of blatant disregard for the online security of their customer seems like a complete contradiction to one of the fundamental trumpets that Google has been blowing over the course of the decade - privacy. The exchange between RSnake made news today on TheRegister via John Leyden who has reviewed the situation and recently published another article on Google's 'security' efforts said, "Some point out that Google has at least mitigated the risk by running modules from the gmodules domain, while others argue that the security policies at the ad brokering giant leave a lot to be desired. "
To us, that is the whole point entirely, John - not enough has been done by Google, the upstart turned superspectacle search engine firm to stem these type of security/privacy policy inconsistencies from the company that apparently stood up to the Department of Justice (DoJ) on the privacy of it's users and carries that mantle. One user going by the handle/initial "BK" on RSnake's weblog had this say, "…the whole concept of “Taking Ownership” of someone elses content is a little scary. The reason ownership of content is so scary, is because the entire trust model for the WWW is basically built on ONE thing… the DOMAIN NAME. ". This truth is in the pudding on this one and regarding this topic's associated branding that is relative to the very powerful, very influencial domain name, we couldn't agree more.
Mitigation couldn't be considered a lapse in correction or the sidestepping of the issue by hosting the problem on a separate domain, could it? This is a fine proponent of the article I wrote in April on keeping the hosts accountable if something DOES go wrong because of their lack of intepidation to fix the issue in "Internet Communication Needs RATTS".
Get it a rein on those horses Google or some will probably end up doing it for you.
@Jon
Outstanding perspective delivery in this article. I completely believe that you’re hit the nail on the head. Not too long ago, Google was in a beridden campaign on the protection of privacy of it’s users. Now, it seems even the most subtle of technologies they employ is leaving the doors open.
I don’t know if this is entirely their fault though. I believe at some point the realized, just as some other major conglomerates have, that a full privacy model is mildly faulty if not completely unattainable as a whole. However, we hold Google to the lofty expectations they created for us when they originally released and went public, so in that sense they are to blame.
I sincerely hope that Google gets their act together on this one.
Cheers.
Very nice. Love this place! Keep up the good work!
Just so you know it was I which found this vulnerability in the gModules / Google Website.
http://www.xssed.com/news/39/XSS_vulnerability_in_iGoogleGmodules_when_calling_external_widgets/
-x2Fusion
@x2Fusion
I question the validity of that statement, but I will pass it on to RSnake and if he wishes to counter or confirm, he can at his leisure, especially when his article is published as of “20070817″ and yours was supposedly published as of “20070820″ (three days later).
@J. Longoria
I’ve E-Mailed Xssed about it and they said I should contact RSnake and it was submitted onto XSSed before it was posted on here as far as I know.
I found it at least two to three weeks before I submitted it onto Xssed, fyi
-x2Fusion
@x2Fusion
I do hope you realize this article is a follow-up/promotional article to his article in attempt to put pressure on Google to fix their mess and raise awareness of their inappropriate views on the security of their operating public.
I wrote RSnake an e-mail regarding it since you decided to post to our site instead of taking the issue up with him directly (note: we didn’t remove your comments however contradictory they might be or discourteous to have been publically posted instead of taking it up with the original author first) referencing your post.
In part, here it is:
“
... We've got a fellow on theReformed claiming ( here ) that he discovered the hole you posted about, reference ( here ). I’ve left it to you to confirm or rebutt at your leisure on the site since we wouldn’t be able to responsibly verify it.”In part, here is his response:
“
... I've been too busy to defend myself these days. He may have also found it, but I certainly didn't rip him off. I have got emails with Google that definitely pre-date that post.”Then, I made a venture to his site to review his the original article - where I saw you posted to his website the same comments. Let me recap what I posted to his site in response to your statement(s):
“
@x2FusionAs I stated on theReformed (where you commented this very same statement), I question the validity of that statement, especially when his article is published as of “20070817" and yours was supposedly published as of “20070820" (three days later). That isn’t to mention that at least half a dozen people were aware of the issue at least 2 months before the published article on either count.
Additionally, I might add that it’s a petty move to post it publically to his weblog or ours @ theReformed when you could have just as easily e-mailed him and discussed it privately. RSnake is a pretty reasonable fellow and would have surely negotiated credit if you were due it.
Instead of concentrating on the fact that the problem is being addressed by outside parties because Google refuses to, you’ve only concentrated on ensuring you get your name in lights.”
I stand by those statements, especially when it wasn’t only RSnake, a respected industry analyst/researcher, that was aware of this problem. He just posted a responsible, comprehensive article referencing the situation - just because some already knew, noone got upset about the fact that he took it to press.
So why the issue for you? Because you feel he took your limelight, your questionable 15 seconds of fame? 2-3 weeks vs at least 2 months friend, you’re still behind the game if we go by even your statements above, ‘fyi’.
So this is what I am going to do for you. I am going to give you the chance to be an adult and take it up with him personally, by e-mail, telephone or carrier pigeon. I will confirm with him whether or not you’ve done that in 48 hours. If you don’t, you’ll probably find something done with your comments ala moderation since we allowed your comment(s) to surface here in the first place.
Sorry to say, I couldn’t really E-Mail him at the time as I was else where and not on my own machine thus I don’t like logging into my E-Mail Accounts.
That being said, I never had his E-Mail Address to contact him anyway so that was pretty impossible.
Well, I’m sorry I brought this up here, an as for the ‘chance to be an adult’ well I’d like to but I’m not going to lie I’m just not ready to be a responsible adult just yet, I’m just 16 and can’t yet to think of taxes and all that stuff.
Well, I know who truly found the vulnerability first. I don’t mind it being posted here I’m happy with that and to where ever else it was posted it doesn’t bother me, I just wanted it to be known that I was the one which found it and if the credit was given anyway in the first place then it would have saved this little commotion now wouldn’t it?
Either way, this’ll be the last post here from me now. I’ll try and find RSnakes E-Mail if I can then I’ll E-Mail him.
Thank you,
-x2Fusion
@x2Fusion
I’m reading excuses, excuses that lend credit to laziness on your part. Upon entrance to http://ha.ckers.org , you’ll inevitably notice that there is a link “about us” to the right-hand side. Had you taken the time to click on that link, you’d have found that which you seek. Therefore, it absolutely was not impossible - you failed to do your research, just as you have with this claim.
Regarding being an adult, being an adult is a mindset and has nothing to do with your fiscal responsibility. Your immaturity and ego is getting the best of you here. Yes, you do know that the vulnerability was found by you, as well as several others before you - credit isn’t due to someone who is on the tail-end of the ‘discovery’. You’ve caused this ‘commotion’ and we’ve allowed it to remain in the comments - learn from your mistakes.
Please realize, you’ve only served to harm your own credibility with your commentary. Let this be a lesson-learned for your future ventures and good luck in your next efforts. I’m sure you’ll come up with some truly exciting finds if you’re picking this concept up at 16 years old.
You still have approximately 24 hours to contact him wherein I will stand by my word.
@J.Longoria
Hello, I’d just like to apologize to you for posting such things here. I’d like to admit now that I’ve been doing a little more research upon this vulnerability which was posted on http://ha.ckers.com and also on here.
That being said, I went to re-read the news article upon Xssed.com and it would seem that I’ve mislead my self to believe that this vulnerability posted here was the very one that I found that was posted on Xssed.com the one I found (which I did) and nobody else to my current knowing has found.
This one and the one I found are different, and if you look at the news post I gave you on Xssed.com it actually links right to the http://ha.ckers.org one showing a totally different one.
An I do agree that it was a mistake on my part that this whole misleading here now happened.
Sorry for the trouble.
-x2Fusion
@x2Fusion
Debating whether to let this go on or not, I’d have to say that I am impressed that you’ve come about the way you have. To make a omission like that, stepping outside of pride whenever a mistake has been made, and to take responsibility for it - that shows A LOT of character.
As for the misunderstanding, no harm, no foul - our intent was to get you to sort it out or resolve it with RSnake himself, thereby exemplifying the idea that people don’t have to come to “e-fists” to work out their issues online.
We hope you’ll continue to advance yourself, continue to come back by to visit and maybe we’ll even be able to mirror commentary on some of your finds that you’ll undoubtedly have in the future.