Google Base launched with security hole

A British computer scientist says "incompetent" programming is to blame for a security bug in Google Base.

Google has patched a security problem with its Google Base that allowed attackers to steal sensitive information from users of the new content-hosting service.

The problem, which was patched within hours of its discovery earlier this week, allowed attackers to steal cookies and other information from Google Base users and also gave attackers a way to embed fraudulent forms within Google Base Web pages. This type of problem, called a cross-site scripting vulnerability, has also cropped up in Google's search service and in Yahoo's mapping product.

Google Base, which was released in beta version on Wednesday, gives users a way to classify and post information like recipes or classified advertisements. Items that are listed there will then also appear at appropriate parts of Google's site, such as the Web index, the Froogle comparison shopping site and the local business directory.

The bug in Google Base was easy to find, and was due to "incompetent" programming on Google's part, according to Jim Ley, the U.K. computer expert who discovered the bug. "There'd obviously been no security testing whatsoever and there were trivially obvious [cross site scripting] holes in it," he wrote of Google Base, in a blog posting dated Wednesday.

Security experts have criticized Google in the past for being excessively secretive about what, if any, security procedures it uses to develop products. While rival Microsoft Corp. has gone to great lengths to publicly describe the steps it is taking to improve security in its software, Google has refused to talk about security, other than to confirm that it does have some employees who work in the area.

Google did not return calls seeking comment for this article.

The search giant's silence on the topic clearly irritated Ley, who said that Google didn't even send him an e-mail to acknowledge his initial report of the cross-scripting bug. "Google appear to have a complete silence approach to security, I guess they think what the public don't know can't worry them," he wrote on his blog.

Ley has discovered similar cross-scripting problems with Google's search service, and in Yahoo Maps.

These flaws show that companies like Yahoo and Google need to improve testing or risk losing public trust in their products, wrote Paul Mutton an Internet Services Developer with Netcraft. "The nature of the problems discovered by Ley provides fraudsters with the tools to create phishing sites with a good level of plausibility because the base URL would be that of a well-known brand - in this case Google or Yahoo," he wrote in a posting to Netcraft's Web site.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?