[ISN] Google's Accelerator Breaks Web Apps, Security

From: InfoSec News (isn@private)
Date: Mon May 09 2005 - 01:24:30 PDT


http://www.eweek.com/article2/0,1759,1813761,00.asp

By Matt Hicks 
May 6, 2005 

Google's effort to speed the pace of Web browsing quickly aggravated 
some early users, who say that the software is delivering them Web 
pages under other users' logins and breaking Web applications. 

Google Inc.'s Web Accelerator application, launched as a test on 
Wednesday, uses a combination of local and server-based caching and 
preloading of Web pages to more quickly serve Web pages to a user's 
browser. Google's servers, in many ways, act as an intermediary 
between Web sites and a user's browser. 

But Google's approach has had some unintended consequences. Google 
officials Friday confirmed that the company was aware of as many as 
five sites where Web Accelerator was returning users cached pages 
under other people's user names. 

The Mountain View, Calif.-based company has stopped caching pages from 
those sites, said Marissa Mayer, Google's director of consumer Web. 

Users of some smaller Web forum sites have complained in online
postings that they began receiving Web pages which displayed other
people's user names after downloading Web Accelerator. The forum site,
Somethingawful.com [1], was among those warning its users to avoid Web
Accelerator because of reports that pages from other users' logins
were exposed.

"It is an unfortunate problem, but it looks worse than it is," Mayer 
said. "We are caching those pages on the server side with the user 
name on them- You see it, but it's important to point out that you are 
not logged in as user and you do not have the session cookies needed 
to perform operations as [that] user." 

Mayer said the problem stemmed from the way some sites have 
implemented their HTTP cache-control headers, which provide 
information such as language preferences to a browser. Google uses 
those headers to determine whether a page is meant for an individual 
user, in which case it would not live on its servers, Mayer said. 

Google plans to notify the Webmasters of the affected sites about the 
need to fix their cache-control headers as well as work on a solution 
within Web Accelerator, Mayer said. 

Web Accelerator already prevented secure sites using the HTTPS 
protocol, such as online banking and e-mail sites, from being cached. 

Web Accelerator's problems appear to extend beyond forum sites, 
though. Web-based software developer 37Signals LLC began blocking the 
program after discovering that it was initiating links which performed 
critical functions, such as account deletions, on 37Signal's Web 
applications. 

A few users complained about deleted accounts on 37Signals's Basecamp 
and Backpack applications, and the company traced the problem to Web 
Accelerator, said 37Signals President Jason Fried. To make matters 
worse, the problem occurred the same week that the Chicago-based 
company launched Backpack, a personal-information management 
application. 

"It was serious enough to frighten us, since we had just released a
product and it coincided with Google's release," said Fried, who first
wrote about the issue in his Weblog [2]. "We became aware of the Web
Accelerator issue, and within 30 minutes of figuring it out we
instituted a block."

As for Web Accelerator's impact on Web applications, Mayer initially
said that most of the reports she had seen appeared to be
unsubstantiated. When informed about 37Signals' problems, she said
that it is possible that some sites are not complying with a Web
standard used by Web Accelerator.

Web Accelerator ignores links where a question mark appears before the
URL string in the HTML code. A question mark is usually included in a
string to indicate personally identifiable information such as a user
ID and would typically be used in a link that performs a function like
a deletion, Mayer said.

"The product is in beta," Mayer said. "It could be that our assumption
around the question mark and the way sites comply with the standard is
incorrect. If that is the case, then we'll have to redesign the
prefetch algorithm."

Fried acknowledged that the applications do not conform to all
standards. For example, functions such as a deletion technically
should be handled with buttons rather than links, he said.

Google needs to recognize, however, that many sites use methods that
vary from standards, he said.

"To me, the real test here is not so much that Google may have made
mistake but how they respond to it," Fried said. "Are they going to
call it a mistake or blame everyone else to [make them] build products
the way they should be built in a perfect world?"

For other users, Web Accelerator has caused a number of unwanted
changes to their Web browsing.

Mike Rumble, a Web programmer at U.K.-based Lawton Communications
Group Ltd., said he downloaded Web Accelerator on Thursday and soon
noticed that about one out of every 20 Web sites were failing to load.  
Instead, he was redirected to an error page from Web Accelerator,
prompting him to try again or to search on Google.

Rumble faced more trouble when he visited his Web-based e-mail account
from Apple Computer Inc.'s .Mac service. He was continuously logged
out of the account, something he blamed on Web Accelerator's
preloading of pages.

"After signing in it became impossible to get any use out of the
service, as every click would lead back to a sign-in page," Rumble
said in an e-mail interview. "It appears that the Web Accelerator's
prefetching mechanism was signing me out of the service as soon as I
had signed in, by 'clicking' on the sign-out link and killing my
session."

Rumble, who regularly tries out new software for his office, said he
decided to disable Web Accelerator because he feared that it could
also wreak havoc on his company's Web-based content management system.

"Google Web Accelerator appears to be a poorly executed, potentially
destructive product," he said.

Similar sentiments to Rumble's have been shared in blog postings and
online forums across the Web, though other users have said that they
are finding that Web Accelerator is saving them time in their Web
browsing.

To Mayer, part of the backlash against Web Accelerator likely is a
result of Google sitting in the middle between users' browsers and Web
sites.

By caching Web pages on Google's servers, Web Accelerator is following
caching methods already in use by ISPs and by many corporate
firewalls, Mayer said. But Google is making that activity more visible
to users, who often are not aware that their employers or ISP may be
serving them earlier versions of a Web page.

"It does break the paradigm of how people are used to browsing," Mayer 
said. "It does change the experience slightly in little ways, and it's 
worth the tradeoff." 

[1] http://forums.somethingawful.com/showthread.php?s=935a9fdceab9656b2c04f964336ec06c&threadid=1550986
[2] http://www.37signals.com/svn/

 

_________________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Mon May 09 2005 - 16:49:00 PDT