After Microsoft, Yahoo and Skype, Google has
become the latest household name to find its security under
question after having to patch its Google Base
content-hostingservice to prevent attackers
stealing sensitive information from users.
The problem, which was patched within hours of its
discovery, allowed attackers to steal cookies and other information
from Google Base users and embed fraudulent forms within Google
Base web pages. This cross-site scripting vulnerability has also
cropped up in Google’s search service
Google
Basegives users a way to classify and
post information such as recipes or classified advertisements. The
items listed also appear on appropriate parts of Google’s site,
such as the web index, the Froogle comparison shopping site and the
local business directory.
The bug in Google Base was said to have been easy to
find, due to “incompetent” programming, but what has irritated
security specialists is Google’s lack of acknowledgement of any
security holes.
They suggest flaws in programs from companies such
as Yahoo and Google show they need to improve testing or risk
losing public trust in their products. The fear is that the
security problems provide fraudsters with the tools to create
plausible phishing sites because the base URL would be that of a
well-known brand.
There will probably have to be more flaws and
criticism before Google holds up its hands and pleads, “Mea
culpa”.