So Matt Cutts made this huge post defending Google over the recent report from Privacy International. Yet last night I found a blatant mistake any half assed coder should be able to pick up on. When a friend sent me a link to this rather boring video http://video.google.co.uk/videoplay?docid=-8545585184878490822 I immediately noticed the 'Email - Blog - Post to Myspace' link on the right side. As any curious person would do I decided to check it out to see how Google has integrated with MySpace. So after cliking I was greeted with the following popup http://video.google.co.uk/blogpost?docid=-8545585184878490822&siteindex=3 and immediately noticed that the url of it was http, and not https. An insecure form... So I figured it must be posting the login details to a https url, so I pulled out live headers and this is what I got: http://video.google.co.uk/blogpost POST /blogpost HTTP/1.1 Host: video.google.co.uk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Referer: http://video.google.co.uk/blogpost?docid=-8545585184878490822&siteindex=3 Content-Length: 42 Cookie: PREF=ID=26c938172fc51030:TM=1178041215:LM=1138046118:S=Bw_pBCzx-opEyR3s; sloc=en_GB Pragma: no-cache Cache-Control: no-cache req=login&name=myusername&pass=mypassword&site=MySpace What the heck, Google is posting not only Blogger account details, but LJ, MySpace and TypePad login details over a plain text protocol. Any coder who has more than six months experience can tell you that you don't post sensitive information without SSL, but here we have a billion dollar company with highly paid coders who thinks it's perfectly ok. How did this ever get past a security check? After Matt Cutts mentioned the selling of clickstream data where ISP's are monitoring http request urls, how much extra work would it be for an employee to add a patch to catch post data and start picking up peoples social network logins from this url. Am I being too harsh to Google about this? Most likely, but they need a serious wakeup call if they let a mistake like this get into public usage. Who knows who else has noticed this and started logging data.
wow thats messed up, with all the google hackers it wont be long before its exploited and people are losing access to whatever their names and psswords go to.
Any upstream on the data can. This means someone who hacks your school network, a sibling in your house or over wireless, a disgruntled ISP employee, many different people...
Entriple, thanks for posting this like we discussed. I added a blog post at http://www.seroundtable.com/archives/013820.html.
Wanna see something funnier? Someone posted the article to Digg, and missed the fact that Digg isn't using SSL either. http://smackdown.blogsblogsblogs.com/2007/06/12/digg-flaw-gives-out-digg-login-info/ -Michael
With the way (i)google recently merged our accounts into one, this is a huge deal indeed. See also: http://forums.digitalpoint.com/showthread.php?t=316850 Interesting too that they give myspace tips on preventing phishing, but can't do it that well themselves: http://googleonlinesecurity.blogspot.com/
No, you are wrong. This has nothing to do with SQL injections, or behind the scenes passwords. It's just about individual user passwords is all. It's like me having your username and password for DP wouldn't give me access to anything but your info. Not sure why you would think otherwise. -Michael
and this is googles fault because? Well, if you had bothered to take a peak at myspace and look at there login form you would see this: <form action="[COLOR="Red"]http://login.myspace.com/index.cfm?fuseaction=login.process&MyToken=4937b2a0-2677-4d4b-960e-344f5cdff243[/COLOR]" method="post" name="theForm" id="theForm"> <input type="hidden" name="Login" id="Login" value="" /> <br /> <div class="row"> <label for="email"> E-Mail :</label> <input type="text" name="email" id="email" value="" /> </div> <div class="row"> <label for="password"> Password :</label> <input name="password" type="password" id="password" /><br /> </div> <div class="clear" style="margin-left: -8px; margin-bottom: 3px;"> <input type="checkbox" name="Remember" value="Remember" id="checkbox" /> <label for="checkbox"> Remember Me </label> <br /> </div> <div style="margin-left: 21%"> <input src="http://x.myspace.com/images/button_login_main.gif" name="ctl00$Main$SplashDisplay$ctl01$loginbutton" type="image" id="ctl00_Main_SplashDisplay_ctl01_loginbutton" alt="Member Login" onclick="doSubmit('ctl00_Main_SplashDisplay_ctl01_loginbutton');" /> <a id="ctl00_Main_SplashDisplay_ctl01_signUpHyperLink" title="SignUp" href="http://signup.myspace.com/index.cfm?fuseaction=join&MyToken=4937b2a0-2677-4d4b-960e-344f5cdff243"><img title="SignUp" src="http://x.myspace.com/images/button_signup_main.gif" style="border-width:0px;" /></a><br /> <a href="http://collect.myspace.com/index.cfm?fuseaction=user.retrievepassword&MyToken=4937b2a0-2677-4d4b-960e-344f5cdff243" class="right"> Forgot your password? </a> <div class="clear"> </div> </div> </form> Code (markup): What do you see? A non ssl login to myspace! So google is not at fault. They could put it in a post but it would be just as insecure as it is now using a get method. However, I do not like googles data collection and I seen today that they had to limit it for european users to comply with a european investigation into their data. Pierce
This is already posted in Search Engine Journal http://www.searchenginejournal.com/...e-private-username-password-information/5086/
YEa, SEJ beat us to it. I should of jumped on it as soon as I saw it. Oh well. But Loren was smart on that. He got on front page of Digg. But I did get on Slashdot. ;-) I rather get on Digg.
Who cares? If you really want someones myspace password, there are easyer ways of getting it then google video.
Not the point. the point is Matt Cutts defends Google, then this happens! Google tends to have a holier than tho type attitude to webmaster... so when this happens you have to expect people to be angry!