[ISN] Google Vulnerability A Sign Of Web 2.0 Weakness

From: InfoSec News (alerts@private)
Date: Wed Jan 03 2007 - 23:33:13 PST


By Larry Greenemeier
Jan 3, 2007

A design flaw discovered earlier this week in Web-based Google 
applications spotlights a troublesome security trend for IT departments: 
what to do about protecting internal systems and data as workers access 
Web-based e-mail and collaborative applications using their employer's 

Google's problem, first reported by the Googlified Web site and since 
patched by Google, resulted from the way Google software stored 
information in a JavaScript file on the company's servers. Prior to the 
patch, an attacker could overwrite the JavaScript Object Notation, or 
JSON, that Google used to send information from its servers to a user's 
client device and gain access to all of the contact information stored 
in a user's Gmail account, as long as that user was logged on to any 
Google application. This is known as a "cross-site request forgery." 
JSON is what makes it possible for a Web mail application to, among 
other things, fill in the "To:" field in an e-mail from a user's address 
book after the user has typed in just a few characters.

Google acknowledged that, over the New Year's weekend, it was notified 
of a vulnerability related to the use of JSON objects that affected 
several of the company's products. "These objects, if abused, can expose 
information unintentionally," Google information security manager 
Heather Adkins said in a statement. The company claims that it corrected 
the problem within 24 hours of being notified.

"Google fixed the problem very quickly, which tells you how serious this 
was," says Gary McGraw, chief technology officer of Cigital, a provider 
of Web application security services. This latest Google vulnerability 
is "a bellwether of things to come as people get more serious about SOA 
and Web 2.0 capabilities, which are based on JavaScript and extensive 
client-side, browser-based functionality."

While most security experts agree that guarding Web applications, a 
notorious security soft spot today, is crucial for the overall 
well-being of systems and data, they debate whether security 
vulnerabilities in consumer-focused Web apps such as Web mail, instant 
messaging, and social networking sites such as MySpace and Facebook are 
a great threat to business IT systems.

Employees use Web mail and other Web-based services from their work 
computers, and IT managers have little control over how securely those 
Web applications are written. Yankee Group senior analyst Andrew Jaquith 
says that it's what we don't know about Web applications that make them 
so dangerous. "Because they aren't fully understood, they're going to 
attract a lot of attention from hackers," he says, adding that this 
should concern IT managers because "consumer-grade applications are 
increasingly becoming de facto parts of corporate IT infrastructures."

This means employees may be mixing IT work with pleasure in their 
cubicles, potentially adding work-related information to the vast 
repositories managed by Web mail systems. For example, whenever a user 
can't remember a password for a given Web site, they'll typically have 
that password mailed to a Web mail account because they can access that 
account from any computer with an Internet connection. If these 
passwords are for work-related sites, Web mail security becomes a 

"Web mail accounts give you access to everything," says Jeremiah 
Grossman, founder and CTO of WhiteHat Security, a maker of Web 
application security assessment software. Grossman, who also worked at 
Yahoo as its security officer, notes that cross-site request forgeries 
can be used for more than poaching information from Web mail accounts. 
"An attacker can gain access to any account the user is logged on to," 
he says. "This includes Web mail address books and even bank accounts."

Under another scenario, a Web mail user's ID and password could be 
stolen and then used by the attacker to send bogus messages to the 
victim's co-workers. "All the attacker has to do is send a Web mail 
saying 'I'm working from home today; use my Web mail account'," McGraw 
says. This trick could divert all sorts of business-related information 
to a Web mail account.

Yet other security experts see Web mail as more of a danger for users 
purposely or inadvertently leaking data out of their employers' IT 
environments, rather than as an attack vector for malware. "Applications 
that your employees are going to use that are not under the control of 
your IT department are definitely a security concern," says 451 Group 
senior analyst Nick Selby. But, "if an attacker is using malware, that's 
already being addressed by checking endpoints and isolating infected end 
points," he adds.

Google, Yahoo, and other Web companies that rely on the fancy Web 2.0 
features enabled by JavaScript will most likely continue to respond 
quickly to security vulnerabilities, although it's less comforting to 
know that a site known as Googlified was the first to point out the most 
recent problem. While it's unrealistic for IT managers to stop the use 
of Web applications, they should be aware of the potential threats to 
their IT systems and data.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Jan 03 2007 - 23:46:30 PST