Googlified

RSnake of web security site Ha.ckers.org reports a serious XSS vulnerability in Google’s online office suite - Google Docs, that’s used by hundreds of thousands users and businesses.

Technically, one can inject malicious code into a document and trick Google Docs so whenever a logged-in Google user visits the Google Docs document, the user’s cookies will be sent and recorded on a non-Google server. Non-technically, some bad guys can have full access to your Google Docs documents without your knowledge and do whatever they want, if you step on a wrong site. I advise you to only visit trusted sites or install AdBlock Plus and configure to block the Google Docs’ site. I heard that it helps, can’t guarantee though.

Another vulnerability, not a direct threat to your Google data, but to the sites that uses Google’s Custom Search Engine. So just as above, some bad guys can steal your data (information) of whatever site you are on.

Also, security research Christian posted an ultimatum on the Sla.ckers’ forum regarding to multiple security holes in the YouTube system that can cause a privacy concern for YouTube users. He said that he would fully disclose the vulnerabilities in two weeks if Google doesn’t work with him to solve the issue. This is after he informed the Google security team, which handled his email carelessly.

None of these seem to be fixed as I am writing this, so keep an careful eye on the sites you are visiting. Good luck. :)

Google’s Custom Search Engine service (part of Google Co-op), today launched a new tool to help you to create a customized search engine “on the fly“.

Previously, to create a custom search engine using the service requires you to enter a whole lot of URLs (depending the size of your search engine), now, you just need to enter one URL and Google will do the rest.

The Google Custom Search Blog explains:

You can now create a CSE by simply placing a small piece of tailored code on a page on your site. With that one piece of code, Google’s search technology will automatically include in your new CSE all of the sites you have linked to from that page, creating a dynamic, powerful and tailored search experience really quickly. Moreover, your new CSE will update itself periodically to include any new links added to that page.

This tool DOESN’T seem to be obeying the “nofollow” attribute.