Google Video may be exposing the username and passwords of users who post videos to their MySpace accounts and serving this information over unsecure Internet protocol, with an http URL and not https.
A Google user experienced the security flaw after viewing a video on Google Video and clicking the ‘Email – Blog – Post to Myspace’ option.
Example, go to this Google Video of the Japanese Master of Tetris playing in the 2001 Tetris Championship.
Then click ‘Email – Blog – Post to Myspace’
You will then be served this unsecure form which asks for private login information:
The user posted his experience with this on DigitalPoint forums:
So after clicking I was greeted with the following popup http://video.google.co.uk/blogpost?d…22&siteindex=3 and immediately noticed that the url of it was http, and not https. An insecure form… So I figured it must be posting the login details to a https url, so I pulled out live headers and this is what I got:
POST /blogpost HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:126.96.36.199) Gecko/20070309 Firefox/188.8.131.52
Cookie: PREF=ID=26c938172fc51030:TM=1178041215:LM=1138046118:S=Bw_pBCzx-opEyR3s; sloc=en_GB
In a nutshell, according to this user, Google is passing private information which includes MySpace, LiveJournal, Blogger, and TypePad login details over unsecure channels. And since Blogger accounts sometimes use Google Accounts for login, such a flaw could expose a user’s GMail, Google AdWords, Google AdSense, and maybe even Google Checkout information (unless this information is encrypted).
Subscribe to SEJ
Get our weekly newsletter from SEJ's Founder Loren Baker about the latest news in the industry!