Welcome to WebmasterWorld Guest from 54.211.101.8

Forum Moderators: open

Major Froogle/Google/Groups/Gmail Security Bug found

   
4:34 pm on Jan 14, 2005 (gmt 0)

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



If you can read Hebrew, you can read the details here:

[ynet.co.il...]

If you can't, you can read the interp report here:

[aviransplace.com...]

By embedding JavaScript in a URL pointing to Froogle, a hacker can gain access to the userís Gmail account. The JavaScript redirects the browser to a malicious web site, where the hacker can read the userís cookie, which contains personal information, such as purchase history, user name and password for Google services.

This, the same day that they fixed another Gmail bug:
[computerworld.com...]

6:18 pm on Jan 14, 2005 (gmt 0)

WebmasterWorld Senior Member powdork is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Is there any way folks could get hold of adsense or adwords passwords this way?
7:22 pm on Jan 14, 2005 (gmt 0)

10+ Year Member



Hey Brett,
As an FYI - that page in Hebrew is just a login page, not the actual article. That newspaper changed their site to subscription based a few years ago.

Alon

7:31 am on Jan 15, 2005 (gmt 0)

10+ Year Member



The ynet article also states that this kind of flaw, although not trivial to perform, is present in many major sites, and that users should be aware of any comparison sites using URL referrals with your proprietary user ID or account ID stringed to it.

Ron

7:45 am on Jan 15, 2005 (gmt 0)

10+ Year Member



[slashdot.org...]

Has been fixed.

7:59 am on Jan 15, 2005 (gmt 0)

WebmasterWorld Senior Member powdork is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Has been fixed.
Did you read all of Brett's initial post?
10:15 am on Jan 15, 2005 (gmt 0)

10+ Year Member



Well actually Ynet is still free for Israeli users, however, worldwide IPs has to subscribe. Just confirmed that with a proxy server.

Eyal

2:25 am on Jan 20, 2005 (gmt 0)

10+ Year Member



Why on earth is this reported in Hebrew - only Jews can read Hebrew
2:32 am on Jan 20, 2005 (gmt 0)



"Why on earth is this reported in Hebrew - only Jews can read Hebrew"

That's the language they write on their site. Anyone really interested (like Google) will find a Jew to translate it.

2:53 am on Jan 20, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



...only Jews can read Hebrew

Jews aren't the only people that can read Hebrew.

2:59 am on Jan 20, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



And some Jews (okay, LOTS of us) can't read Hebrew. But anyway, lots of high tech people are Israeli, so it stands to reason that some breaking stories will come out of Israel, and they won't be packaged all nice and tidy for Americans.
3:29 am on Jan 20, 2005 (gmt 0)

10+ Year Member



For those complaining that they can't read Hebrew, remember...there are Jews/Israelis that cannot read English. So for them the only way to post/read this information is in Hebrew.
5:22 pm on Jan 20, 2005 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Edit: wrong thread, apologies all, been working too hard and late. :-)

[edited by: rocknbil at 5:49 pm (utc) on Jan. 20, 2005]

5:34 pm on Jan 20, 2005 (gmt 0)



I posted this of Foo yesterday. [webmasterworld.com...]

"It wasn't yesterday, in fact this worm may have been around for months and it's just not being recognized by virus software. It apparently can even operate users' connected webcams - the perpetrator was arrested while spying on several remote comps this way. If true, this is big."

7:06 pm on Jan 20, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



And here's the kicker, apparently although the bug has been fixed, all compromised accounts, even if the user changes their password, are still open to the crackers.

Now imagine that scenario when the next desktop search hole is found and you'll start understanding why desktop search is possibly one of the very worst ideas ever to come up, about as bad as linking IE to the guts of Windows through active x etc. Some ideas are just intrinsically bad.

 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month