Lame Google coders can't even protect your privacy

[Entriple]

So Matt Cutts made this huge post defending Google over the recent report from Privacy International. Yet last night I found a blatant mistake any half assed coder should be able to pick up on. When a friend sent me a link to this rather boring video http://video.google.co.uk/videoplay?...85184878490822 I immediately noticed the 'Email - Blog - Post to Myspace' link on the right side. As any curious person would do I decided to check it out to see how Google has integrated with MySpace.

So after cliking I was greeted with the following popup http://video.google.co.uk/blogpost?d...22&siteindex=3 and immediately noticed that the url of it was http, and not https. An insecure form... So I figured it must be posting the login details to a https url, so I pulled out live headers and this is what I got:

http://video.google.co.uk/blogpost

POST /blogpost HTTP/1.1
Host: video.google.co.uk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: http://video.google.co.uk/blogpost?d...22&siteindex=3
Content-Length: 42
Cookie: PREF=ID=26c938172fc51030:TM=1178041215:LM=1138046118:S=Bw_pBCzx-opEyR3s; sloc=en_GB
Pragma: no-cache
Cache-Control: no-cache
req=login&name=myusername&pass=mypassword&site=MySpace

What the heck, Google is posting not only Blogger account details, but LJ, MySpace and TypePad login details over a plain text protocol. Any coder who has more than six months experience can tell you that you don't post sensitive information without SSL, but here we have a billion dollar company with highly paid coders who thinks it's perfectly ok. How did this ever get past a security check?

After Matt Cutts mentioned the selling of clickstream data where ISP's are monitoring http request urls, how much extra work would it be for an employee to add a patch to catch post data and start picking up peoples social network logins from this url.

Am I being too harsh to Google about this? Most likely, but they need a serious wakeup call if they let a mistake like this get into public usage. Who knows who else has noticed this and started logging data.

[Daniel591992]

Quote:

Originally Posted by Entriple

So Matt Cutts made this huge post defending Google over the recent report from Privacy International. Yet last night I found a blatant mistake any half assed coder should be able to pick up on. When a friend sent me a link to this rather boring video http://video.google.co.uk/videoplay?...85184878490822 I immediately noticed the 'Email - Blog - Post to Myspace' link on the right side. As any curious person would do I decided to check it out to see how Google has integrated with MySpace.

So after cliking I was greeted with the following popup http://video.google.co.uk/blogpost?d...22&siteindex=3 and immediately noticed that the url of it was http, and not https. An insecure form... So I figured it must be posting the login details to a https url, so I pulled out live headers and this is what I got:

http://video.google.co.uk/blogpost

POST /blogpost HTTP/1.1
Host: video.google.co.uk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: http://video.google.co.uk/blogpost?d...22&siteindex=3
Content-Length: 42
Cookie: PREF=ID=26c938172fc51030:TM=1178041215:LM=1138046118:S=Bw_pBCzx-opEyR3s; sloc=en_GB
Pragma: no-cache
Cache-Control: no-cache
req=login&name=myusername&pass=mypassword&site=MySpace

What the heck, Google is posting not only Blogger account details, but LJ, MySpace and TypePad login details over a plain text protocol. Any coder who has more than six months experience can tell you that you don't post sensitive information without SSL, but here we have a billion dollar company with highly paid coders who thinks it's perfectly ok. How did this ever get past a security check?

After Matt Cutts mentioned the selling of clickstream data where ISP's are monitoring http request urls, how much extra work would it be for an employee to add a patch to catch post data and start picking up peoples social network logins from this url.

Am I being too harsh to Google about this? Most likely, but they need a serious wakeup call if they let a mistake like this get into public usage. Who knows who else has noticed this and started logging data.

That's crazy. Can a normal person somehow get access to the info?

[rhino56]

wow thats messed up, with all the google hackers it wont be long before its exploited and people are losing access to whatever their names and psswords go to.

[Entriple]

Any upstream on the data can. This means someone who hacks your school network, a sibling in your house or over wireless, a disgruntled ISP employee, many different people...

[stock_post]

Try login with the username and password, they may have encripted it.

[Entriple]

Quote:

Originally Posted by stock_post

Try login with the username and password, they may have encripted it.

I did, thats why I posted the Live HTTP Headers dump. They aren't posting to a secure url.

[seo ranter]

wow, that's a big oversight on Google's part..

[BigBadWolf]

You should blog this and submit it to digg

[Entriple]

I don't blog, let someone else take credit and rewrite in a way that more people will understand.

[rustybrick]

Entriple, thanks for posting this like we discussed.

I added a blog post at http://www.seroundtable.com/archives/013820.html.

[mvandemar]

Quote:

Originally Posted by rustybrick

Entriple, thanks for posting this like we discussed.

I added a blog post at http://www.seroundtable.com/archives/013820.html.

Wanna see something funnier? Someone posted the article to Digg, and missed the fact that Digg isn't using SSL either.

http://smackdown.blogsblogsblogs.com...gg-login-info/

-Michael

[kh7]

With the way (i)google recently merged our accounts into one, this is a huge deal indeed.
See also: http://forums.digitalpoint.com/showthread.php?t=316850

Interesting too that they give myspace tips on preventing phishing, but can't do it that well themselves: http://googleonlinesecurity.blogspot.com/

[infonote]

Hope I am wrong but having access to this information

Quote:

req=login&name=myusername&pass=mypassword&site=MySpace

You can use a SQL Injection to enter MySpace.

[mvandemar]

Quote:

Originally Posted by infonote

Hope I am wrong but having access to this information
You can use a SQL Injection to enter MySpace.

No, you are wrong. This has nothing to do with SQL injections, or behind the scenes passwords. It's just about individual user passwords is all.

It's like me having your username and password for DP wouldn't give me access to anything but your info. Not sure why you would think otherwise.

-Michael

[Pierce]

and this is googles fault because?

Well, if you had bothered to take a peak at myspace and look at there login form you would see this:

Code:

<form action="http://login.myspace.com/index.cfm?fuseaction=login.process&MyToken=4937b2a0-2677-4d4b-960e-344f5cdff243" method="post" name="theForm" id="theForm">

            <input type="hidden" name="Login" id="Login" value=""  />
            
            <br />
            <div class="row">
                <label for="email">
                    E-Mail
                    :</label>
                <input type="text" name="email" id="email" value="" />
            </div>
            <div class="row">

                <label for="password">
                    Password
                    :</label>
                <input name="password" type="password" id="password" /><br />
            </div>
            <div class="clear" style="margin-left: -8px; margin-bottom: 3px;">
                <input type="checkbox" name="Remember" value="Remember" id="checkbox"  />
                <label for="checkbox">
                    Remember Me
                </label>

                <br />
            </div>
            <div style="margin-left: 21%">
                <input src="http://x.myspace.com/images/button_login_main.gif" name="ctl00$Main$SplashDisplay$ctl01$loginbutton" type="image" id="ctl00_Main_SplashDisplay_ctl01_loginbutton" alt="Member Login" onclick="doSubmit('ctl00_Main_SplashDisplay_ctl01_loginbutton');" />
                <a id="ctl00_Main_SplashDisplay_ctl01_signUpHyperLink" title="SignUp" href="http://signup.myspace.com/index.cfm?fuseaction=join&amp;MyToken=4937b2a0-2677-4d4b-960e-344f5cdff243"><img title="SignUp" src="http://x.myspace.com/images/button_signup_main.gif" style="border-width:0px;" /></a><br />
                <a href="http://collect.myspace.com/index.cfm?fuseaction=user.retrievepassword&MyToken=4937b2a0-2677-4d4b-960e-344f5cdff243" class="right">
                    Forgot your password?
                </a>
                <div class="clear">

                </div>
            </div>
        </form>

What do you see? A non ssl login to myspace! So google is not at fault.

They could put it in a post but it would be just as insecure as it is now using a get method.

However, I do not like googles data collection and I seen today that they had to limit it for european users to comply with a european investigation into their data.

Pierce

[Canadianbacon]

wow you're such a nerd

[rkquest]

This is already posted in Search Engine Journal
http://www.searchenginejournal.com/g...ormation/5086/

[rustybrick]

YEa, SEJ beat us to it. I should of jumped on it as soon as I saw it. Oh well.

But Loren was smart on that. He got on front page of Digg. But I did get on Slashdot. ;-) I rather get on Digg.

[galin]

Who cares? If you really want someones myspace password, there are easyer ways of getting it then google video.

[mikeid22]

Quote:

Originally Posted by galin

Who cares? If you really want someones myspace password, there are easyer ways of getting it then google video.

Not the point.

the point is Matt Cutts defends Google, then this happens!

Google tends to have a holier than tho type attitude to webmaster... so when this happens you have to expect people to be angry!