Monday, November 21, 2005

"Google don’t care about the security of our data": Jim Ley

Google apparently didn't plan properly any of their new services.
1. Google Analytics (formerly Urchin web analytics) suspends new registrations as Google can currently no longer handle the load. If you go to the Google Analytics signup screen, the following message is displayed:

Google Analytics has experienced extremely strong demand, and as a result, we have temporarily limited the number of new signups as we increase capacity. In the meantime, please submit your name and email address and we will notify you as soon as we are ready to add new accounts. Thank you for your patience.

2. Google fixes a privacy flaw in Google Sitemaps which allowed people to look at just about anyone's statistics. (David Naylor)
3. Last, but not least, Google also had a security flaw in their Google Base services.

Instead of running after launching "me too" products in a hurry, why can't this company test and scale products fully before releasing it to public? This certainly does not make Google look like a company with smartest brains in the world.

Jim Ley, who is credited with discovering some of the flaws writes:
Like the yahoo programmer last week, the incompetent google base programmer had simply taken a parameter from the querystring, and written it unencoded into the document. So a query http://base.google.com/base/search?a_n427=<script>alert(1)</script>&a_y427=0&a_s427=0&a_r=2 performed the alert, this was fixed about 5 hours after I reported it, showing again that google don’t care about the security of our data enough to not release clearly insecure software.


Google's Vanessa Fox, said in a blog posting:
When we first started showing statistics a couple of months ago, we put a system in place to prevent anyone other than site owners from seeing stats for a site. We ask each site owner to place a unique file on the site and then we check to see if that file exists. When we do that check, we first make sure that the server isn't misconfigured to return a valid page when a request is made for a page that doesn't exist. We only verify sites that are configured correctly. You can read more about that process in our documentation.

Unfortunately, with our latest release, a bug prevented this process from working correctly. We fixed this as soon as we found out about the problem. We take your privacy very seriously and are currently investigating other approaches to further enhance security.


IMHO, I don't believe the bug was introduced in the latest release, rather I believe the bug went undetected until it was reported, but again, that's just my opinion.

Google patches its Google Base software










  post to Del.icio.us

0 Comments:

Post a Comment

<< Home

eXTReMe Tracker