After Microsoft, Yahoo and Skype, Google has become the latest household name to find its security under question after having to patch its Google Base content-hosting service to prevent attackers stealing sensitive information from users.
The problem, which was patched within hours of its discovery, allowed attackers to steal cookies and other information from Google Base users and embed fraudulent forms within Google Base web pages. This cross-site scripting vulnerability has also cropped up in Google’s search service
Google Base gives users a way to classify and post information such as recipes or classified advertisements. The items listed also appear on appropriate parts of Google’s site, such as the web index, the Froogle comparison shopping site and the local business directory.
The bug in Google Base was said to have been easy to find, due to “incompetent” programming, but what has irritated security specialists is Google’s lack of acknowledgement of any security holes.
They suggest flaws in programs from companies such as Yahoo and Google show they need to improve testing or risk losing public trust in their products. The fear is that the security problems provide fraudsters with the tools to create plausible phishing sites because the base URL would be that of a well-known brand.
There will probably have to be more flaws and criticism before Google holds up its hands and pleads, “Mea culpa”.