[ISN] Glitches dent confidence in Google's offerings

From: InfoSec News (alerts@private)
Date: Tue Jan 02 2007 - 00:37:38 PST


By Asher Moses
January 2, 2007 

A serious flaw is discovered in Google's free email service allowing 
hackers to steal users' entire contact lists.

To exploit the flaw, the hacker would add a piece of code to their 
website server, which in turn gave them access to the Gmail contacts of 
passing browsers, so long as they were also signed in to their Gmail 
account in another window.

The hacker could then add the stolen contacts to an email spam database, 
or sell them to other spammers.

Gmail, the third most popular free web-based email service, has been 
embraced by both personal and business users alike, largely because it 
allows for easy access to messages from any computer worldwide.

Google's security team appeared to have fixed the flaw within hours, but 
various subsequent reports suggested the fix didn't address the full 
extent of the issue.

Further, it is understood that spammers were exploiting the security 
hole for quite some time before it was discovered.

The simplest way to avoid being exposed is to sign out of Gmail when it 
is not in use.

News of the flaw came just days after another, separate Gmail security 
issue was revealed. From late December, some Gmail users - 60, according 
to Google - logged in to their accounts to find all of their emails and 
contacts had been automatically deleted.

User complaints soon flooded Google's Gmail support discussion board, 
but some of the lost data could not be retrieved.

Google was then forced to work with each affected user to help them 
restore their messages from any personal backups they may have made.

But it is not just Gmail security flaws that have been detrimental to 
Google's goodwill leading into 2007. It has also been accused of 
monopolistic behaviour, through listing its own products at the very top 
of search results for terms such as "calendar", "blog" and "photo 

This practice is shared with other internet search providers such as 
Yahoo and Ask, but Google's actions in particular have caught the ire of 
internet users who expect the company to live up to its idealistic 
corporate motto - "Don't be evil".

Most notably, Blake Ross, a co-founder of the Firefox web browser, last 
week criticised Google in his blog, suggesting it had lost its moral 

Matt Cutts, head of Google's webspam team, responded to Mr Ross' claims 
on his own blog. Surprisingly, he agreed with many of Mr Ross' 

"I'd remove these tips or scale them way back by making sure that they 
are very relevant and targeted," Mr Cutts wrote.

Google also came under fire last month when it was accused of 
manipulating the results of its top 10 search term list, published 

Google later clarified that the list was compiled based on changes in 
the most popular searches on a year-to-year basis. Generic and offensive 
terms were not included.

Technology industry commentators have suggested that, when combined, the 
relatively minor issues could have a profound effect on Google's public 
perception, which has remained largely untainted since the company's 

"This subtle shift in public attitude could signal a tidal wave of 
negativity down the road," said Michael Arrington, author of the popular 
TechCrunch blog.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Tue Jan 02 2007 - 00:57:15 PST