1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Lame Google coders can't even protect your privacy

Discussion in 'Google' started by Entriple, Jun 12, 2007.

  1. #1
    So Matt Cutts made this huge post defending Google over the recent report from Privacy International. Yet last night I found a blatant mistake any half assed coder should be able to pick up on. When a friend sent me a link to this rather boring video http://video.google.co.uk/videoplay?docid=-8545585184878490822 I immediately noticed the 'Email - Blog - Post to Myspace' link on the right side. As any curious person would do I decided to check it out to see how Google has integrated with MySpace.

    So after cliking I was greeted with the following popup http://video.google.co.uk/blogpost?docid=-8545585184878490822&siteindex=3 and immediately noticed that the url of it was http, and not https. An insecure form... So I figured it must be posting the login details to a https url, so I pulled out live headers and this is what I got:

    http://video.google.co.uk/blogpost

    POST /blogpost HTTP/1.1
    Host: video.google.co.uk
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Referer: http://video.google.co.uk/blogpost?docid=-8545585184878490822&siteindex=3
    Content-Length: 42
    Cookie: PREF=ID=26c938172fc51030:TM=1178041215:LM=1138046118:S=Bw_pBCzx-opEyR3s; sloc=en_GB
    Pragma: no-cache
    Cache-Control: no-cache
    req=login&name=myusername&pass=mypassword&site=MySpace

    What the heck, Google is posting not only Blogger account details, but LJ, MySpace and TypePad login details over a plain text protocol. Any coder who has more than six months experience can tell you that you don't post sensitive information without SSL, but here we have a billion dollar company with highly paid coders who thinks it's perfectly ok. How did this ever get past a security check?

    After Matt Cutts mentioned the selling of clickstream data where ISP's are monitoring http request urls, how much extra work would it be for an employee to add a patch to catch post data and start picking up peoples social network logins from this url.

    Am I being too harsh to Google about this? Most likely, but they need a serious wakeup call if they let a mistake like this get into public usage. Who knows who else has noticed this and started logging data.
     
    Entriple, Jun 12, 2007 IP
    Emie. likes this.
  2. Daniel591992

    Daniel591992 Well-Known Member

    Messages:
    594
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    125
    #2
    That's crazy. Can a normal person somehow get access to the info?
     
    Daniel591992, Jun 12, 2007 IP
    Emie. likes this.
  3. rhino56

    rhino56 Peon

    Messages:
    414
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #3
    wow thats messed up, with all the google hackers it wont be long before its exploited and people are losing access to whatever their names and psswords go to.
     
    rhino56, Jun 12, 2007 IP
  4. Entriple

    Entriple Peon

    Messages:
    48
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Any upstream on the data can. This means someone who hacks your school network, a sibling in your house or over wireless, a disgruntled ISP employee, many different people...
     
    Entriple, Jun 12, 2007 IP
  5. stock_post

    stock_post Prominent Member

    Messages:
    5,213
    Likes Received:
    249
    Best Answers:
    0
    Trophy Points:
    310
    #5
    Try login with the username and password, they may have encripted it.
     
    stock_post, Jun 12, 2007 IP
  6. Entriple

    Entriple Peon

    Messages:
    48
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #6
    I did, thats why I posted the Live HTTP Headers dump. They aren't posting to a secure url.
     
    Entriple, Jun 12, 2007 IP
  7. oseymour

    oseymour Well-Known Member

    Messages:
    3,960
    Likes Received:
    92
    Best Answers:
    0
    Trophy Points:
    135
    #7
    wow, that's a big oversight on Google's part..
     
    oseymour, Jun 12, 2007 IP
  8. BigBadWolf

    BigBadWolf Well-Known Member

    Messages:
    1,727
    Likes Received:
    67
    Best Answers:
    0
    Trophy Points:
    140
    #8
    You should blog this and submit it to digg :D
     
    BigBadWolf, Jun 12, 2007 IP
  9. Entriple

    Entriple Peon

    Messages:
    48
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #9
    I don't blog, let someone else take credit and rewrite in a way that more people will understand.
     
    Entriple, Jun 12, 2007 IP
  10. rustybrick

    rustybrick User ID 3

    Messages:
    384
    Likes Received:
    41
    Best Answers:
    0
    Trophy Points:
    158
    #10
    rustybrick, Jun 12, 2007 IP
  11. mvandemar

    mvandemar Notable Member

    Messages:
    2,409
    Likes Received:
    307
    Best Answers:
    0
    Trophy Points:
    230
    #11
    mvandemar, Jun 12, 2007 IP
  12. kh7

    kh7 Peon

    Messages:
    2,715
    Likes Received:
    109
    Best Answers:
    0
    Trophy Points:
    0
    #12
    kh7, Jun 12, 2007 IP
  13. infonote

    infonote Well-Known Member

    Messages:
    4,032
    Likes Received:
    68
    Best Answers:
    0
    Trophy Points:
    160
    #13
    Hope I am wrong but having access to this information

    You can use a SQL Injection to enter MySpace.
     
    infonote, Jun 12, 2007 IP
  14. mvandemar

    mvandemar Notable Member

    Messages:
    2,409
    Likes Received:
    307
    Best Answers:
    0
    Trophy Points:
    230
    #14
    No, you are wrong. This has nothing to do with SQL injections, or behind the scenes passwords. It's just about individual user passwords is all.

    It's like me having your username and password for DP wouldn't give me access to anything but your info. Not sure why you would think otherwise.

    -Michael
     
    mvandemar, Jun 12, 2007 IP
  15. Pierce

    Pierce Active Member

    Messages:
    634
    Likes Received:
    26
    Best Answers:
    0
    Trophy Points:
    95
    #15
    and this is googles fault because?

    Well, if you had bothered to take a peak at myspace and look at there login form you would see this:

    <form action="[COLOR="Red"]http://login.myspace.com/index.cfm?fuseaction=login.process&MyToken=4937b2a0-2677-4d4b-960e-344f5cdff243[/COLOR]" method="post" name="theForm" id="theForm">
    
                <input type="hidden" name="Login" id="Login" value=""  />
                
                <br />
                <div class="row">
                    <label for="email">
                        E-Mail
                        :</label>
                    <input type="text" name="email" id="email" value="" />
                </div>
                <div class="row">
    
                    <label for="password">
                        Password
                        :</label>
                    <input name="password" type="password" id="password" /><br />
                </div>
                <div class="clear" style="margin-left: -8px; margin-bottom: 3px;">
                    <input type="checkbox" name="Remember" value="Remember" id="checkbox"  />
                    <label for="checkbox">
                        Remember Me
                    </label>
    
                    <br />
                </div>
                <div style="margin-left: 21%">
                    <input src="http://x.myspace.com/images/button_login_main.gif" name="ctl00$Main$SplashDisplay$ctl01$loginbutton" type="image" id="ctl00_Main_SplashDisplay_ctl01_loginbutton" alt="Member Login" onclick="doSubmit('ctl00_Main_SplashDisplay_ctl01_loginbutton');" />
                    <a id="ctl00_Main_SplashDisplay_ctl01_signUpHyperLink" title="SignUp" href="http://signup.myspace.com/index.cfm?fuseaction=join&amp;MyToken=4937b2a0-2677-4d4b-960e-344f5cdff243"><img title="SignUp" src="http://x.myspace.com/images/button_signup_main.gif" style="border-width:0px;" /></a><br />
                    <a href="http://collect.myspace.com/index.cfm?fuseaction=user.retrievepassword&MyToken=4937b2a0-2677-4d4b-960e-344f5cdff243" class="right">
                        Forgot your password?
                    </a>
                    <div class="clear">
    
                    </div>
                </div>
            </form>
    Code (markup):
    What do you see? A non ssl login to myspace! So google is not at fault.

    They could put it in a post but it would be just as insecure as it is now using a get method.

    However, I do not like googles data collection and I seen today that they had to limit it for european users to comply with a european investigation into their data.

    Pierce
     
    Pierce, Jun 12, 2007 IP
  16. Canadianbacon

    Canadianbacon Well-Known Member

    Messages:
    1,231
    Likes Received:
    76
    Best Answers:
    0
    Trophy Points:
    173
    Articles:
    1
    #16
    wow you're such a nerd :)
     
    Canadianbacon, Jun 12, 2007 IP
  17. rkquest

    rkquest Well-Known Member

    Messages:
    828
    Likes Received:
    23
    Best Answers:
    0
    Trophy Points:
    140
    #17
    rkquest, Jun 12, 2007 IP
  18. rustybrick

    rustybrick User ID 3

    Messages:
    384
    Likes Received:
    41
    Best Answers:
    0
    Trophy Points:
    158
    #18
    YEa, SEJ beat us to it. I should of jumped on it as soon as I saw it. Oh well.

    But Loren was smart on that. :) He got on front page of Digg. But I did get on Slashdot. ;-) I rather get on Digg.
     
    rustybrick, Jun 13, 2007 IP
  19. galin

    galin Guest

    Messages:
    3
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #19
    Who cares? If you really want someones myspace password, there are easyer ways of getting it then google video.
     
    galin, Dec 3, 2007 IP
  20. mikeid22

    mikeid22 Notable Member

    Messages:
    1,459
    Likes Received:
    57
    Best Answers:
    1
    Trophy Points:
    210
    #20
    Not the point.

    the point is Matt Cutts defends Google, then this happens!

    Google tends to have a holier than tho type attitude to webmaster... so when this happens you have to expect people to be angry!
     
    mikeid22, Dec 24, 2007 IP