Forum latest

A missed step or a stumble?
General
Written by Daniel   
Monday, 18 September 2006 16:04
What's Wrong With Google?
Dark Reading

SEPTEMBER 18, 2006 | Google has come up with a temporary fix that prevents attackers from exploiting a newly discovered vulnerability in its Public Service Search. The potential exploit lets an attacker place a fake Google sign-in page on Google's actual servers.

Cory Altheide, security manager for Google, said in Google's Webmaster Central blog on Friday that Google has temporarily disabled logins on the service and is working on a permanent fix. So Public Search Service, which is aimed at universities and nonprofits, for now is closed to new signups.

But the glitch is just the latest in a series of security problems that have plagued the search engine firm of late. In the past few months, Google has been the victim of phishing scams on Gmail, toolbar problems, and a trojan that offered Google "updates" but instead made its victims bots. (See Google Toolbar Bug Warns Against Changing Search Engine Default and New Trojan Offers Google Update.) Google's search engine, too, has been abused by would-be attackers searching for vulnerabilities to exploit.

This latest phishing vulnerability, meanwhile, is bolder than most phishing scams because an attacker can place his fake page on the actual Google service and steal usernames and passwords for real Google services. Google's Altheide says in the blog the company knows of no exploits of the vulnerability thus far, "and this service represents an extremely small portion of searches."

So what's causing this wave of security woes at Google? Much of the problem lies in Google's open API model, analysts say. While Google's APIs have helped spread the search engine's popularity, they also leave it open to security weaknesses. "Whenever you have developers being able to create their own search APIs and maps, they can do wacky things," says Charlene Li, an analyst with Forrester Research. "They are a big fat target out there... The APIs make them even more potentially vulnerable."

Discussion

 
Don't Click Here Don't Click Here Either