digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

Google Flaw Gives Out MySpace Login Info!

searchenginejournal.com — Google Video may be exposing the username and passwords of users who post videos to their MySpace accounts and serving this information over unsecure Internet protocol, with an http URL and not https.

Bury
show profanity settings
expand all
  • wschalle, on 10/11/2007, -23/+8The fix will take about 2 seconds... Nice that someone caught it.
    • ericodom, on 10/11/2007, -11/+52But how the hell did they miss it in the first place?
    • PatrickA, on 10/11/2007, -13/+8Just what Google needed this week, even if it is an easy fix.
    • strikezero, on 10/11/2007, -19/+6Yea take about 2 seconds....

      but the damage has been done.


      So many people myspace's are hacked now its ridiculous, I keep getting comments about some stupid free offer.
    • M3RCINIAN, on 10/11/2007, -13/+6Oh noes! Who cares anyway? ***** like this happens with johnny i hack stuff using Google anyway.
    • Al3x, on 10/11/2007, -3/+22Unless I read the article wrong....

      Google merely passes username/password information of the listed sites (myspace, etc) insecurely (http)...so it could be caught and read...and some sites use google's login to log users in...so that could be read also.

      As said above, easy fix.

      @llda
      This isn't a myspace flaw btw.
    • coldphoenix, on 10/11/2007, -2/+22@Strikezero

      I'm pretty sure those "free offers" and other annoying pieces of ***** were already there on myspace regardless of this google flaw.
    • ZoTheGorilla, on 10/11/2007, -2/+13Ok flaw, feature whatever ... That Japanese kid was Sick on Tetris!
    • PURPLEDRINK, on 10/11/2007, -4/+11um.... it is rare that people intercept any information en-route. it is likely that literally 0 "exploits" have been done here. marked as lame.
    • smackhero, on 10/11/2007, -2/+6@Strikezero
      those myspace hacks are completely unrelated and have been going on for quite some time now. most of those are automated worms that spread by taking over a user's profile and masking a portion of the page with a transparent link directing visitors to a fake log in screen on a different server. often users don't notice the url and just immediately type in their username and password into the fake login page, at which point the worm automatically logs in to myspace using their password and spreads onto their profile.

      that is more of a problem with myspace's crappy design, which relies on CSS hacks to allow users to customize their profiles.

      the Google Video flaw discussed here belongs to a broader problem of people transmitting sensitive info over unsecured connections. you'd be surprised at how much sensitive information you can see being transmitted in plain text just by running Ethereal on a college dorm network. i don't understand why people still use FTP rather than SFTP/SCP, or Telnet instead of SSH.
    • redfox2600, on 10/11/2007, -3/+24It actually not a bug. Myspace doesn't have SSL login for their main website nor does Facebook or Photobucket. Why should google have to use SSL if they don't?
    • SkallyMM, on 10/11/2007, -7/+1MySpace gets OWNED again... I LOVE IT!
    • Infowarmachine, on 10/11/2007, -6/+1myspace sucks, its fully in secure, ive known of a pretty good loophole in it for some time that still hasnt been fixed
    • haggie, on 10/11/2007, -5/+1the only people still using myspace are unsigned bands too stupid to build a website, the most has been of reality t.v. stars, and pedophiles.
    • eviljim, on 10/11/2007, -0/+4Not an issue for MySpace, but it is for some of the other services as they DO have SSL signons.

      How it stands now is just as insecure as logging into the myspace page directly -- no SSL.
    • cfelde, on 10/11/2007, -1/+5@redfox2600: Facebook sends the login form to https://login.facebook.com/login.php
  • bs3arch, on 10/11/2007, -6/+27The flaw does not only expose MySpace login information, but also that of LiveJournal, TypePad, and most importantly Blogger... which is associated with Google Accounts : Gmail, AdWords, AdSense... etc.
    • dbr_onix, on 10/11/2007, -1/+27"Expose" is such a strong word - it's not encrypted, but the amount of people that will be effected by this will be close to zero.. Of course sending login data over SSL is better, but this is hardly a huge gaping hole..
    • Outdoor83, on 10/11/2007, -1/+23Agreed. This is a sensationalist headline. Someone has to be sniffing your network to get the information. If you're plugged in, you're almost guaranteed to be safe (someone has to not only be listening but hack whatever switch you're plugged into to get your packets sent to them).

      If you're on secured wireless, you're also almost guaranteed to be safe. Even if you're on unencrypted wireless, someone has to be sitting around, sniffing traffic, and notice. Let's face it... this is unlikely. It's not like someone can hit up a website and steal account information.

      I would bury as sensationalist crap if I could.
    • HalFTW, on 10/11/2007, -0/+16This is just FUD. Most websites do not use SSL for logins.
    • soda0289, on 10/11/2007, -0/+18DIGG doesn't even use SSL!!
    • FredSpeaking, on 10/11/2007, -0/+10Its more than just sensationalist... it's ***** *****. Google no more "gives out" your login info does than your POP3 mail server does.
    • user777, on 10/11/2007, -2/+1mann..., i own GStock, don't mess with google heheh j/k
  • krumel, on 10/11/2007, -9/+3My... oh my....
  • kensavage, on 10/11/2007, -22/+3WOW amazing.
    • Scyth3, on 10/11/2007, -1/+31Didn't you get the memo about the words "wow" and "amazing" being banned from digg? You must use similar words...like "stupendous" now.
    • Bklynadam, on 10/11/2007, -1/+5use "unexpected"
  • marketnet, on 10/11/2007, -15/+1At least someone caught it. Hopefully my account(s) weren't copromised...
    • ChrisWickenscom, on 10/11/2007, -9/+20Why would you have more than one account?
      Hell, why would you have ONE account?!
  • BrandonPerry, on 10/11/2007, -5/+63Heh, that's not a flaw, that's a feature!
  • qwertylicious, on 10/11/2007, -1/+30Anyone else just get distracted by the linked Tetris video?
    • bs3arch, on 10/11/2007, -0/+24That Tetris video is just insane!!
    • shinda, on 10/11/2007, -0/+3Man I sat and watched that tetris video to completion, I think it has some hypnotic messages in there somewhere, just those beeping noises I can't get them out of my head.
    • DivisibleByZero, on 10/11/2007, -0/+1Check out the link on the right to human tetris if you haven't seen it yet. ( http://www.youtube.com/watch?v=3Mqau7J2g5E )
  • PaulP82, on 10/11/2007, -3/+5Google= Privacy Protection?
  • mvandemar, on 10/11/2007, -2/+47Guys, how is it that no one noticed that Digg is doing the *exact* same thing...?

    http://smackdown.blogsblogsblogs.com/2007/06/12/digg-flaw-gives-out-digg-login-info/

    I mean, you had to have logged in at some time to submit this story, right? :)
    • bs3arch, on 10/11/2007, -13/+1If it's secure, it should not be a problem. Google Video is not secured and the login information is for third party services, not good.
  • wildsnake, on 10/11/2007, -4/+2Who cares, I don't use my real information anyway.
  • davidkeithjones, on 10/11/2007, -5/+1Meh, just a cockup.
  • Rahu, on 10/11/2007, -1/+23Correct me if I'm wrong, but wouldn't this only "give out" the information to people who are recording all of either Google's (not likely) or your (still quite unlikely) network traffic?
    • crackedplastic, on 10/11/2007, -1/+12This is correct - someone must be sniffing your traffic in order to obtain your Myspace login/pass with this technique.

      Of course, if someone is sniffing your traffic to begin with, he/she could just simply wait until you manually login to Myspace (or any other site that doesn't use SSL).

      It's really not a big deal - don't login to non-SSL sites from Internet cafes (or other shared, public networks), use different passwords for different sites (so that someone can't deduce other site passwords), and better yet, just don't use Myspace.
    • merreborn, on 10/11/2007, -2/+2LAN sniffing has been complicated by the fact that the hub is all but extinct, with cheap switches driving most networks. In a switched network, your packets aren't forwarded to everyone on the LAN like they are in a hub-based network.

      It *is* possible to fool a poorly-configured switch into effectively acting like a hub, but regardless, this added layer of difficulty will stop at least some potential attackers.
    • smackhero, on 10/11/2007, -1/+1a quick way to assess if the network you're on might allow other hosts to capture your traffic is to run ethereal or another packet sniffer with your network adapter in promiscuous mode to see if you can capture others' traffic. you might be surprised at what you find on some networks (hotels, college dorms, coffee shops, etc.). it doesn't account for the possibility of ARP spoofing (which circumvents packet switching), but that is a much more sophisticated attack and unless you're transmitting/receiving extremely sensitive data it's probably not worth worrying about.

      usually network administrators will do a decent job of traffic narrowing on larger networks using switches & routers, but sometimes this isn't the case. and even if most of the traffic is being switched upstream there's a good chance that there are a handful of hosts on your subnet whose traffic you'll be able to see (and can potentially see yours as well)--freshman year of college i used to open up the packet sniffer when i was bored to see what my roommate was talking about on AIM or what porn sites he'd been visiting. =P
    • mvandemar, on 10/11/2007, -1/+1"You are correct. Diggtards are complete idiots."

      @mikecampbell - You work at Digg customer service, don't you...?
  • EricWester, on 10/11/2007, -6/+1It's okay. I still love Google!
  • perfectnation, on 11/09/2007, -5/+1hmm, myspace got bigger "issues"
  • longbow486, on 10/11/2007, -3/+1i cant stand bloggs with ***** CSS style sheets, not the colors, the way the text is managed
  • micklerlop, on 10/11/2007, -5/+2feature indeed. myspace blows.
  • Theipolicy, on 10/11/2007, -5/+3Dude...it's just myspace. Not really, but any person who uses the automatic embed option deserves to have their info stolen. How hard is it to copy and paste some code yourself? Lazy bastards.
  • thomas, on 10/11/2007, -7/+4This isn't Googles fault they don't have to fix anything. This is all on MySpaces poor design.
  • kisore, on 10/11/2007, -6/+4buried as completely *****
  • StandardsDT, on 10/11/2007, -7/+3So this is why there are millions of spammers on MySpace.
  • imacumpewter, on 10/11/2007, -5/+2im in your googles stealin your passwordz

    // waste of 3 minutes
  • jtkooch, on 10/11/2007, -3/+5This is hardly a cause for concern. Someone would still have to be sniffing your Internet connection, wired or wireless, in order to exploit this. If it's the former, you have a larger security problem you need to deal with, if its the latter, its your fault for not securing your connection.
    • smackhero, on 10/11/2007, -2/+2that depends on your setting. if you're at home behind a personal router, sure. but if you're at starbucks, the library, an internet cafe, or some other public establishment that offers wireless/wired internet access, it could be legitimate concern, and you should probably avoid sending sensitive info unencrypted. college dorms, hotels, airports, etc. are also places where you should beware of someone potentially capturing your traffic.

      this isn't a huge vulnerability, and it's certainly not something unique to Google, but it's something to always be conscious of. even behind a secure router, your packets may be passing through unsecured networks, so if you're sending really sensitive info, it's best to be safe and encrypt it. for instance, always use SSH and SFTP/SCP instead of Telnet and FTP.

      it's very possible that there's someone sniffing unencrypted traffic on a network between you and the target machine. they might ignore myspace passwords or e-mail logins and such, but let's say you're logging in to a company network that contains valuable data, or even if you're just managing an e-commerce website, that kind of traffic could be picked up by someone with malicious intentions and it would be your own fault for not encrypting it or using a secure connection.
  • thewebguy, on 10/11/2007, -0/+9myspace's login isn't ssl anyway
  • daok, on 10/11/2007, -2/+1 I do not think it's a big security lack... you cannot change data to all MySpace page that has video... the only way it's if someone sniff the data and has mentionned above it, get the login info. This only affect person in a public area that could be sniffing by someone. That's it... the article is inacurate.
  • boffert, on 10/11/2007, -1/+2Such unbelievably charitable use of the term "gives out".

    But really, who cares? I'm really going to go out on a whim here and suggest nobody would waste their time trying to acquire a myspace login with a man-in-the-middle attack. Total garbage.
  • Koyder, on 10/11/2007, -0/+8Quick, grab the logins and delete the accounts! It may be our chance to free the internet from MySpace!
  • stroebele, on 10/11/2007, -5/+1ericodom: "But how the hell did they miss it in the first place?"

    I'm betting you're not a developer
  • armourer, on 10/11/2007, -3/+1Wait...
    you're telling me after facebook, people still use myspace?

    /sarcasm
  • codemonkey2841, on 10/11/2007, -1/+2Thats what they get for embedding videos into their myspace page.
  • FAT_PIGGY, on 10/11/2007, -2/+2lol
  • rubbers0ul, on 10/11/2007, -0/+1so that's how the now infamous "skins" party was started....
  • Topher06, on 10/11/2007, -0/+0Is it Google's fault, or MySpace? How can a website require logging in in order to link to public movies or not offer a link generator that would create a special link without the need for login information?
  • SiRwhilms, on 10/11/2007, -2/+4Sensationalist ***** title, as if that's a surprise. You can't just go "can has i some myspace loginz?". It's just unencrypted traffic that could be sniffed if you were using ARP or were somehow in between client and server.
    • crackedplastic, on 10/11/2007, -1/+1You might want to brush up on basic networking. Nearly every IP-based network device/machine uses ARP.
    • SiRwhilms, on 10/11/2007, -1/+2Sorry, let me clarify. Yes, everything uses ARP. I mean ARP Poison Routing-- you trick ARP caches to make clients believe that you are the router, and vice-versa. It's a man-in-the-middle.
  • RBasil, on 10/11/2007, -0/+2Simple fix, don't use myspace. :)
  • artificialgrey, on 10/11/2007, -0/+1The question is: "Why would anyone want MySpace credentials anyway?"
  • ncr100, on 10/11/2007, -0/+5Did you see that guy's web page? All the craaaazy advertisements on it? There are seven (7) ads visible without scrolling. The article is seriously tiny compared to the ad's. I say Bury this.
  • guttertrash, on 10/11/2007, -0/+2this isnt googles problem. people are so retarded. its like expecting a gas station to chase your car around and fill it up every time it needs gas. the internet has become the domain of retards and trolls. i think id rather be a troll thanks.
  • jeremiahx, on 10/11/2007, -0/+2um, Myspace doesn't even use an SSL for their login screen... so EVERY time you login to myspace it can be sniffed. LAME!
  • funkyB, on 10/11/2007, -3/+0"um, Myspace doesn't even use an SSL for their login screen... so EVERY time you login to myspace it can be sniffed. LAME!"

    yup
  • DivisibleByZero, on 10/11/2007, -0/+1In high school, I was tasked with setting up the school website. It had a ton of content:
    1) Monthly lunch menus
    2) Student handbook
    3) School closing information when applicable.

    Shortly after we put it up and gave the URL to students, some parent sent an email, OUTRAGED that the site wasn't "secure" because it used http, not https.
    • jeremiahx, on 10/11/2007, -0/+1yes because accessing public knowledge MUST go through an Secure Connection!
  • rspeed, on 10/11/2007, -0/+2Is the MySpace login form even encrypted?
  • Katana314, on 10/11/2007, -0/+1Okay, this is bad for google, but seriously...if you're using MYSPACE...how can you NOT expect your personal info to be taken??? Myspace is about GIVING IT OUT!!!
  • Philipp_Lenssen, on 10/11/2007, -1/+3Marked as inaccurate for the headline...
  • kwummy, on 10/11/2007, -1/+0Who wants the login information for teenagers and pedophiles?
  • rouslan, on 10/11/2007, -0/+1I tried analyzing the headers but I cannot find the login info-did they fix the problem already?
  • rbrown, on 10/11/2007, -0/+1MySpace doesn't use HTTPS as login anyway as default. And didn't Gmail used to allow you to login via HTTP?
  • jgreene777, on 10/11/2007, -1/+2sounds more like a MySpace problem, not a Google problem.
  • Harboggles, on 10/11/2007, -2/+1This is my myspace Girlfriend.

    http://images.craigslist.org/01010001020501041120070612b726977c2a078540330093e9.jpg
  • j0se, on 10/11/2007, -0/+1myspace can kiss my ass!
  • bill.clark, on 10/11/2007, -1/+1Wow, I'm SO glad you pointed this out. I *totally* thought anything having to do with MySpace was incredibly secure.

    Wanker.
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.