google security

Tony Ruscoe, who have found a Google Account security hole recently that allows malicious hackers to have access many of your Google Services, now posted detailed information about it on Google Blogoscoped.

The security flaw, is found in the recently added Blogger feature “Custom Domains“. Normally, this won’t be a problem, but if someone enters a Google subdomain that has a CNAME pointing to ghs.google.com or pointing, the person could gain access to the subdomain through Blogger, since “there’s no reliable way to verify whether the Blogger user actually owns the domain they’re entering”, and Google did not prevent users from using Google subdomains as “Custom Domains” like they did in Google Apps for Your Domain. (GAFYD doesn’t allow users to register domain with “Google” in it.)

Once the user gained access to the subdomain on Google, s/he could obtain your Google login sessions by using simple JavaScript (document.cookie) and then send to an outside domain which process the information using server side scripts.

Tony has also gave some suggestion on the blog post, you can read more about it on Google Blogoscoped. And, uhh, did I mention that Google has fixed the security hole?

From Google Blogoscoped: “Services that were accessible using this technique included: Google Alerts, Google Analytics, Google Base, Google Bookmarks, Google Code, Google Co-op, Google Docs and Spreadsheets, Google Finance, Froogle Shopping List, Google Image Labeler, Google in Your Language, Google Groups, Local Business Center, Google Maps (Saved Locations), Google Notebook, Personalized Homepage, Personalized Search (Search History), Google Reader, 3D Warehouse (SketchUp), Google Video and Google Webmaster Tools.”