digg

Facebook Connect Join Digg About

Third Google exploit in 16 days -- this is getting bad

blogs.zdnet.com True, Google has been fixing them within hours of being reported, but this is the third serious vulnerability reported in less than a month (and it's still not fixed). This one allows an attacker to hijack a user's Google account by stealing cookies (without the user knowing anything happened at all)

Who dugg this? Made popular Jan 16, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

91 Comments

show profanity settings
expand all
  • mannymix03, on 10/12/2007, -4/+85no one is going to steal my cookies
  • sockpuppets, on 10/12/2007, -5/+66I made you a cookie but I stoled it
  • fyre2012, on 10/12/2007, -3/+44"Google has been fixing them within hours of being reported"

    So where's the problem? Sure beats waiting until Patch Tuesday.
  • fearofcorners, on 10/12/2007, -1/+31Wow, this article is both long and detailed.
  • Tialys, on 10/12/2007, -6/+28Wow, wait... a HUGE company with millions of users and tons of products is succeptible to the occasional exploit? AND they fix it quickly? I think the world might just end!

    You can't expect them to be perfect, because no one is.
  • epu2, on 10/12/2007, -4/+23I'm in ur webz stealing ur cookies
  • Ghozt64, on 10/12/2007, -0/+13If they think there have only been 3 Google XSS vulnerabilities in a month, they are sadly mistaken.
    All of the following posts were made on the sla.ckers.org forum on Jan/07:

    http://sla.ckers.org/forum/read.php?3,44,5129#msg-5129
    http://sla.ckers.org/forum/read.php?3,44,5168#msg-5168
    http://sla.ckers.org/forum/read.php?3,44,5189#msg-5189
    http://sla.ckers.org/forum/read.php?3,44,5280#msg-5280
    http://sla.ckers.org/forum/read.php?2,5190,5282#msg-5282
    http://sla.ckers.org/forum/read.php?2,5190,5283#msg-5283

    I don't think any of those are even the vulnerabilities they're talking about on this blog.
  • sockpuppets, on 10/12/2007, -0/+12C is for cache, where your cookie used to be?
  • computerdude33, on 10/12/2007, -4/+15*** glome has been kicked by DrWoody (***** you i didn't touch the ***** cookie, bitch)
  • FuriousGopher, on 10/12/2007, -4/+15"Who told you you could eat my cookies?" - Arnold Schwarzenegger
  • CrispyPassion, on 10/12/2007, -4/+14i'm in ur cabinat... stealin ur cookiez
  • inactive, on 10/12/2007, -5/+13THIS IS GETTING BAD OH NOEZ! Because Google really means to write code that has security flaws. They intentionally put them in there so they can get on the front page of Digg! Genius!
  • inactive, on 10/12/2007, -5/+12""kinda figures if you know what they do all day"
    that's pretty funny. hehe.
    i didn't digg u down"

    i dugg you down
  • calebb, on 10/12/2007, -3/+9Troll Digg comments? Oh wait... ;-)
  • spartan018, on 10/12/2007, -1/+7well, this is better than the 16th exploit found in 3 days, ya know?
  • deltaz, on 10/12/2007, -0/+6Try explaining this to the cookie monster...
  • Agret, on 10/12/2007, -0/+5Yeah, XSS only works if you have javascript enabled.
  • LocalScope, on 10/12/2007, -0/+5All software has flaws, its just who knows about it and how fast they are fixed.
  • kb0x, on 10/12/2007, -0/+4it's because people either like to bash google or they see them as some kind of god.
    People should think of google as a company that makes products using regular programming languages written by regular humans. They make mistakes.

    The amount of vulnerabilities has never been a factor for security, the speed at which they are patched is the factor.
    I would rather be vulnerable to 10 exploits for 2 days that 1 exploit for a month.
  • khag7, on 10/12/2007, -0/+4idk who garett rogers is but his face makes me laugh
  • BlackAdderIII, on 10/12/2007, -0/+3"wow. people get touchy about google don't they!"

    They're a good company, they try their best to make and provide good products and services, they seem to have every intention of treating their customers, employees, shareholders, peers and competitors honourably, and within the constraints of the law and their business model they promote the freedom to have useful information for the good of humankind.

    Now they're not angels, but they're a good company - so people like them.

    If in a Microsoftian world, you're unfamiliar with that concept, that's probably not *your* fault.
  • timmyt, on 10/12/2007, -0/+3It's the end of the world as we know it - Google has another exploit!
  • javip, on 10/12/2007, -1/+4since you're so sure, you should put your money where your mouth is, and short google stock.
    my guess is you won't =)
  • enharmonix, on 10/12/2007, -0/+3@lhnz: Yeah, not to say Google or MS don't have their share of security problems (everybody does), but I think we're seeing them because *they are high profile targets*. Simply put, everybody uses Windows? Then hackers try to find flaws. Now everybody uses Google? It was inevitable, really.
  • rdoger6424, on 10/12/2007, -1/+4... and I feel fine...
  • naxx, on 10/12/2007, -0/+2Where does it state that Google is fixing the problem as we speak? I didn't find anywhere in the article.
  • nprlisner, on 10/12/2007, -1/+3Yea, google can fix it once and be done with it. MS has to update a ga-gillion clients after testing the fix for 3 months.
  • rdoger6424, on 10/12/2007, -0/+2@fyre2012
    tell that to Berkshire Hathaway: http://finance.yahoo.com/q?s=BRKa
  • rally25rs, on 10/12/2007, -0/+2Welcome to "Web 2.0"! Anyone who thinks their internet connection is secure in the first place needs an education. Probably the same people that will flaunt their RFID enabled BMW/Mini key fobs and passports and then complain when their identities get stollen.
  • pozzoe, on 10/12/2007, -0/+2Actually, I think this is a good thing. I'd rather have known (and soon to be patched) vulnerabilities than unknown (and soon to be exploited) ones.
  • lhnz, on 10/12/2007, -0/+2lol, you were a little over-cautious with that comment haha.
  • fyre2012, on 10/12/2007, -3/+5at $505.00 / share, who the hell can afford to invest in Google?

    They're due for a stock split soon.
  • fatdog789, on 10/12/2007, -3/+5This isn't just an IE only problem, several of the exploits were discovered using *Firefox*.

    IOW, it's a GOOGLE problem.

    And don't forget, the several hours it takes for Google to fix the problem is several hours for alert hackers to comprise hundreds or thousands of accounts.
  • Ghozt64, on 10/12/2007, -0/+2@fatdog789: Yes, a lot of XSS vulnerabilities have cross-browser capabilities. There are a lot more IE specific vectors, but a lot of the time you can get away with using two vectors (one for Firefox, one for IE), and sometimes you can get away with using regular script tags in unsanitized parameters (I've seen it happen more than less in Yahoo).

    Here's a good reference: http://ha.ckers.org/xss.html
  • rdoger6424, on 10/12/2007, -0/+1stupid trols (intentional sp) at digg, kinda figures if you know what they do all day
  • ronaldst, on 10/12/2007, -0/+1Just by reading the comments, it felt like deja vu. /. ?
  • jellygraph, on 10/12/2007, -0/+1So what? 99.9% of software and probably more websites have security exploits hidden in them. Google gets 3 and everyone makes a big hoo-ha. Microsoft has more security holes in Windows XP a week...

    Over-sensationalized
  • m3mn0n, on 10/12/2007, -0/+1@fatdog789

    How dare you take thy Google's name in vain. That just got you blocked.
  • darkecho, on 10/12/2007, -0/+1I am surprised it took so long. I am not saying that Google apps are flawed but more or less whenever software gets big someone will find exploits for it.
  • snurfle, on 10/12/2007, -0/+1I'm in your tubez stealing your c00kies
  • KnightMareInc, on 10/12/2007, -0/+1is there a way to copy google's custom homepage so I can use it being logged out so I dont have to start all over?
  • inactive, on 10/12/2007, -0/+1"I can't figure out why no one likes me. :("

    Umm... maybe because you're a douche bag?
  • BlackAdderIII, on 10/12/2007, -0/+1Services of this nature, provided on this scale, will have security issues as they mature.

    Every other similar service has, and there will probably be many more.

    Wrongness would be if they did not patch known, serious vulnerabilities as soon as humanly possible. They do, so meh.
  • extremus, on 10/12/2007, -0/+1Cookies are delicious delicacies!
  • a0me, on 10/12/2007, -0/+1Does anyone know if this bug is browser-independent
    or it's just another of those IE-only bug?
  • JohnDGeek, on 10/12/2007, -0/+1Let's not forget all the beta that Google has on the site names. It's been pure luck that Google did not get a bug/exploit sooner. Like most of the comments have mentioned, at least they fix them quickly.
  • m3mn0n, on 10/12/2007, -0/+1Read the comments above.
  • sven007, on 10/12/2007, -1/+2It's a matter of respecting the system. I've noticed that you comment on almost every story, and the comments are either irrelevant, or are misguided. the comment system should be used for adding information to the article. When a statement is false or useless, it will be dugg down. We don't hate you, we dislike the way you are using the comment system. I personally do not comment on article unless it will add information, or a relevant anecdote. try reducing the amount of comments you make, it'll raise your reputation.
  • ElMoselYEE, on 10/12/2007, -0/+1the joke is old. might as well ask me if it blends or call it google 2.0
  • neura, on 10/12/2007, -0/+1I just want to know why all internet "journalists" think we want to know wtf they look like.
  • Fetching more discussions...
    Show 51 - 89 of 89 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.