SEO

Google Video Exposing Private Username & Password Information?

Google Video may be exposing the username and passwords of users who post videos to their MySpace accounts and serving this information over unsecure Internet protocol, with an http URL and not https.

A Google user experienced the security flaw after viewing a video on Google Video and clicking the ‘Email – Blog – Post to Myspace’ option.

Example, go to this Google Video of the Japanese Master of Tetris playing in the 2001 Tetris Championship.

tetris Google Video Exposing Private Username & Password Information?

Then click ‘Email – Blog – Post to Myspace’

email post myspace Google Video Exposing Private Username & Password Information?

You will then be served this unsecure form which asks for private login information:

google video Google Video Exposing Private Username & Password Information?

The user posted his experience with this on DigitalPoint forums:

So after clicking I was greeted with the following popup http://video.google.co.uk/blogpost?d…22&siteindex=3 and immediately noticed that the url of it was http, and not https. An insecure form… So I figured it must be posting the login details to a https url, so I pulled out live headers and this is what I got:

http://video.google.co.uk/blogpost

POST /blogpost HTTP/1.1
Host: video.google.co.uk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: http://video.google.co.uk/blogpost?d…22&siteindex=3
Content-Length: 42
Cookie: PREF=ID=26c938172fc51030:TM=1178041215:LM=1138046118:S=Bw_pBCzx-opEyR3s; sloc=en_GB
Pragma: no-cache
Cache-Control: no-cache
req=login&name=myusername&pass=mypassword&site=MySpace

In a nutshell, according to this user, Google is passing private information which includes MySpace, LiveJournal, Blogger, and TypePad login details over unsecure channels. And since Blogger accounts sometimes use Google Accounts for login, such a flaw could expose a user’s GMail, Google AdWords, Google AdSense, and maybe even Google Checkout information (unless this information is encrypted).

Screen Shot 2014 04 15 at 7.21.12 AM Google Video Exposing Private Username & Password Information?
Loren Baker is the Founder of SEJ, an Advisor at Alpha Brand Media and runs Foundation Digital, a digital marketing strategy & development agency.
Screen Shot 2014 04 15 at 7.21.12 AM Google Video Exposing Private Username & Password Information?

Comments are closed.

27 thoughts on “Google Video Exposing Private Username & Password Information?

  1. I don’t think MySpace even owns an SSL certificate. You’re worried about Google passing your credentials in the clear?

  2. Being a Security personal, and capturing and analyzing the packet traffic of a myspace login, as well as a capture of the entire updating/editing of a user profile… There is no SSL what so ever being use on any myspace.com servers!

    -rmx

  3. So I googled Live Header and downloaded ieHTTPHeaders. I notice that it sniffed packets but I couldn’t extract anything like you showed above. I would love to know how you got all that information.

  4. Sounds to me this is more a problem with the shitty virus ridden design of myspace. I dont see how this is googles fault.

    I mean if i leave my doors open and then go on vacation, whose fault is it i get robbed ? Mine.

    Time for everyone to sack up and take responsibility.

  5. Rabble Rabble Rabble. Who the hell is going to intercept your headers to, oh my gosh, change your sexual preference or something stupid like that on myspace. Hells bells, someone just destroyed my dainty social life by deleting all of my friends. Guess it’s time to get a pair and finally cut down the tracks.

    SSL, believe it or not, puts a fairly heavy burden on front end servers, especially when the operation is the size of google. It’s not like they are sending credit card numbers in plain text. I do not believe that google slipping your passwords that are never encrypted to begin with on other sites through the tube in plain text is really a security risk. If someone is that paranoid and worried that they are being snooped on they should be using TOR anyway, where your traffic is only in plain text at the exit node and is onion routed to God knows where on the way to it’s destination.

  6. …. And what is your point? Only you and google can see it… What man in the middle? A guy sniffing your wifi? He can find way more valuable information. Its being posted to google.. to share it on myspace…..

  7. To “just another guy”: point that is being made is that the information that is being passed by google is not encrypted. this is dangerous, and is not the responsibility of myspace, or any other site for that matter.

    in the end submit forms which request sensitive information such as usernames and passwords should all be posting information over an encrypted channel.

  8. This isn’t a Google problem – they’re just calling the Myspace login capability. The fault lies with yspace not securing (and enforcing) the login itself.

    Others have pointed it out before: http://momby.livejournal.com/3314.html?thread=54258

    IMO it exposes two reasons to be worried
    1/ How many people use the same password on Myspace as they use on their email account (or elsewhere)? – in one hit an unethical person would have access to both
    2/ How many email addresses are sitting in plaintext on proxy servers just waiting for a spammer to snaffle them up and start selling viagra to them?

    Because the login is not SSL encrypted there are a number of vectors to allow access to the information… some of which could be enabled by someone running a rouge hotspot in a Starbucks, airport or college campus through to someone trawling an ISPs proxy logs (with an automated filter looking specificqally for the login page and gathering the POST data off it… not too hard)

    Myspace are NOT the only site to have this weakness, and hopefully they’re learning from the lesson and tidying up right now. With any luck the lesson won’t go un-noticed by other sites with the same flaw (using a nickname rather than email as login is a better idea, encouraging people to make up strong, site relevant passwords is another) and this is the last time a high profile site will make the mistake

  9. It may seem innocuous stealing your Google login. I know we all probably have both secure and insecure passwords. And we use our insecure passwords for things like subscriptions on Latimes.com. Who cares who’s reading my news?

    Still, collecting this kind of stuff can begin to compromise your identity online. Someone could post something on the latimes.com website using my name.

    Given the topic of this discussion, you might be interested in a review of a new identity theft monitoring service called IdentityTruth.com. It’s available on the Security Dreamer blog.

    I’m working with Steve Hunt, author of SecurityDreamer, a site devoted to reviewing and analyzing physical and IT security.

    You can read it here:

    http://www.securitydreamer.com/2007/06/first_look_at_i.html