Google Video may be exposing the username and passwords of users who post videos to their MySpace accounts and serving this information over unsecure Internet protocol, with an http URL and not https.
A Google user experienced the security flaw after viewing a video on Google Video and clicking the ‘Email - Blog - Post to Myspace’ option.
Example, go to this Google Video of the Japanese Master of Tetris playing in the 2001 Tetris Championship.
Then click ‘Email - Blog - Post to Myspace’
You will then be served this unsecure form which asks for private login information:
The user posted his experience with this on DigitalPoint forums:
So after clicking I was greeted with the following popup http://video.google.co.uk/blogpost?d…22&siteindex=3 and immediately noticed that the url of it was http, and not https. An insecure form… So I figured it must be posting the login details to a https url, so I pulled out live headers and this is what I got:
http://video.google.co.uk/blogpost
POST /blogpost HTTP/1.1
Host: video.google.co.uk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: http://video.google.co.uk/blogpost?d…22&siteindex=3
Content-Length: 42
Cookie: PREF=ID=26c938172fc51030:TM=1178041215:LM=1138046118:S=Bw_pBCzx-opEyR3s; sloc=en_GB
Pragma: no-cache
Cache-Control: no-cache
req=login&name=myusername&pass=mypassword&site=MySpace
In a nutshell, according to this user, Google is passing private information which includes MySpace, LiveJournal, Blogger, and TypePad login details over unsecure channels. And since Blogger accounts sometimes use Google Accounts for login, such a flaw could expose a user’s GMail, Google AdWords, Google AdSense, and maybe even Google Checkout information (unless this information is encrypted).
Vote for this post : 0
or Buzz it at Yahoo :
Comments
21 responses so far ↓
Michael VanDeMar on Jun 12, 2007 at 1:05 pm
There are tons of companies not using SSL where they should be. I mean, does Myspace actually use SSL when you log straight into it?
JH on Jun 12, 2007 at 1:08 pm
I don’t think MySpace even owns an SSL certificate. You’re worried about Google passing your credentials in the clear?
Scorp on Jun 12, 2007 at 1:18 pm
And where could be the man-in-the-middle sniffing your traffic?
Anonymous on Jun 12, 2007 at 2:38 pm
Being a Security personal, and capturing and analyzing the packet traffic of a myspace login, as well as a capture of the entire updating/editing of a user profileā¦ There is no SSL what so ever being use on any myspace.com servers!
-rmx
NuBee on Jun 12, 2007 at 2:40 pm
So I googled Live Header and downloaded ieHTTPHeaders. I notice that it sniffed packets but I couldn’t extract anything like you showed above. I would love to know how you got all that information.
Collin Cerbus on Jun 12, 2007 at 2:59 pm
Who cares? If you really want someones myspace password, there are easyer ways of getting it then google video.
Just another guy on Jun 12, 2007 at 3:27 pm
Sounds to me this is more a problem with the shitty virus ridden design of myspace. I dont see how this is googles fault.
I mean if i leave my doors open and then go on vacation, whose fault is it i get robbed ? Mine.
Time for everyone to sack up and take responsibility.
Turtle on Jun 12, 2007 at 4:18 pm
Rabble Rabble Rabble. Who the hell is going to intercept your headers to, oh my gosh, change your sexual preference or something stupid like that on myspace. Hells bells, someone just destroyed my dainty social life by deleting all of my friends. Guess it’s time to get a pair and finally cut down the tracks.
SSL, believe it or not, puts a fairly heavy burden on front end servers, especially when the operation is the size of google. It’s not like they are sending credit card numbers in plain text. I do not believe that google slipping your passwords that are never encrypted to begin with on other sites through the tube in plain text is really a security risk. If someone is that paranoid and worried that they are being snooped on they should be using TOR anyway, where your traffic is only in plain text at the exit node and is onion routed to God knows where on the way to it’s destination.
Turtle on Jun 12, 2007 at 8:21 pm
But then again, I’m a complete idiot.
ktan91 on Jun 12, 2007 at 9:52 pm
…. And what is your point? Only you and google can see it… What man in the middle? A guy sniffing your wifi? He can find way more valuable information. Its being posted to google.. to share it on myspace…..
kevin on Jun 12, 2007 at 10:04 pm
To “just another guy”: point that is being made is that the information that is being passed by google is not encrypted. this is dangerous, and is not the responsibility of myspace, or any other site for that matter.
in the end submit forms which request sensitive information such as usernames and passwords should all be posting information over an encrypted channel.
Acronyms on Jun 13, 2007 at 12:31 am
Nothing to worry about
OffBeatMammal on Jun 13, 2007 at 7:39 pm
This isn’t a Google problem - they’re just calling the Myspace login capability. The fault lies with yspace not securing (and enforcing) the login itself.
Others have pointed it out before: http://momby.livejournal.com/3314.html?thread=54258
IMO it exposes two reasons to be worried
1/ How many people use the same password on Myspace as they use on their email account (or elsewhere)? - in one hit an unethical person would have access to both
2/ How many email addresses are sitting in plaintext on proxy servers just waiting for a spammer to snaffle them up and start selling viagra to them?
Because the login is not SSL encrypted there are a number of vectors to allow access to the information… some of which could be enabled by someone running a rouge hotspot in a Starbucks, airport or college campus through to someone trawling an ISPs proxy logs (with an automated filter looking specificqally for the login page and gathering the POST data off it… not too hard)
Myspace are NOT the only site to have this weakness, and hopefully they’re learning from the lesson and tidying up right now. With any luck the lesson won’t go un-noticed by other sites with the same flaw (using a nickname rather than email as login is a better idea, encouraging people to make up strong, site relevant passwords is another) and this is the last time a high profile site will make the mistake
Motorcycle Guy on Jun 14, 2007 at 7:43 am
This is kind of moot as myspace doesn’t use https anyway. I think they only use it on registration.
David Spark on Jun 18, 2007 at 1:14 pm
It may seem innocuous stealing your Google login. I know we all probably have both secure and insecure passwords. And we use our insecure passwords for things like subscriptions on Latimes.com. Who cares who’s reading my news?
Still, collecting this kind of stuff can begin to compromise your identity online. Someone could post something on the latimes.com website using my name.
Given the topic of this discussion, you might be interested in a review of a new identity theft monitoring service called IdentityTruth.com. It’s available on the Security Dreamer blog.
I’m working with Steve Hunt, author of SecurityDreamer, a site devoted to reviewing and analyzing physical and IT security.
You can read it here:
http://www.securitydreamer.com/2007/06/first_look_at_i.html
josh on Jun 24, 2007 at 2:36 pm
This isn’t good, but if everyone has a unique Myspace Layouts then what could go wrong?
fantaisa on Jun 27, 2007 at 8:15 am
love ya girl see ya
impact on Jul 9, 2007 at 7:24 am
You should try CustomizeGoogle Firefox Extension. It can enable SSL connection to Google services. You can find it on this site:
http://www.customizegoogle.com/
freid on Mar 23, 2008 at 3:59 pm
i think it be ok its there falt bicth fuke yall ok
freid on Mar 23, 2008 at 4:00 pm
bicth
Conor on Mar 26, 2008 at 2:26 pm
Get 25 bucks for free!
Sign up @ revolution money exchange
https://www.revolutionmoneyexchange.com/ReferAFriend/ReferAFriend_landing.aspx?referreremail=o.raghailligh@gmail.com
Leave a Comment