Google Video Exposing Private Username & Password Information?

SMS Text

Google Video may be exposing the username and passwords of users who post videos to their MySpace accounts and serving this information over unsecure Internet protocol, with an http URL and not https.

A Google user experienced the security flaw after viewing a video on Google Video and clicking the ‘Email – Blog – Post to Myspace’ option.

Example, go to this Google Video of the Japanese Master of Tetris playing in the 2001 Tetris Championship.

Tetris Grand Championship

Then click ‘Email – Blog – Post to Myspace’

Google Video Post to MySpace

You will then be served this unsecure form which asks for private login information:

Google Video Embed Form

The user posted his experience with this on DigitalPoint forums:

So after clicking I was greeted with the following popup…22&siteindex=3 and immediately noticed that the url of it was http, and not https. An insecure form… So I figured it must be posting the login details to a https url, so I pulled out live headers and this is what I got:

POST /blogpost HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 Firefox/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Cookie: PREF=ID=26c938172fc51030:TM=1178041215:LM=1138046118:S=Bw_pBCzx-opEyR3s; sloc=en_GB
Pragma: no-cache
Cache-Control: no-cache

In a nutshell, according to this user, Google is passing private information which includes MySpace, LiveJournal, Blogger, and TypePad login details over unsecure channels. And since Blogger accounts sometimes use Google Accounts for login, such a flaw could expose a user’s GMail, Google AdWords, Google AdSense, and maybe even Google Checkout information (unless this information is encrypted).

Loren Baker
Loren Baker is the Founder of SEJ, an Advisor at Alpha Brand Media and runs Foundation Digital, a digital marketing strategy & development agency.
Loren Baker
Subscribe to SEJ!
Get our weekly newsletter from SEJ's Founder Loren Baker about the latest news in the industry!
  • Michael VanDeMar

    There are tons of companies not using SSL where they should be. I mean, does Myspace actually use SSL when you log straight into it?

  • JH

    I don’t think MySpace even owns an SSL certificate. You’re worried about Google passing your credentials in the clear?

  • Scorp

    And where could be the man-in-the-middle sniffing your traffic?

  • Anonymous

    Being a Security personal, and capturing and analyzing the packet traffic of a myspace login, as well as a capture of the entire updating/editing of a user profile… There is no SSL what so ever being use on any servers!


  • NuBee

    So I googled Live Header and downloaded ieHTTPHeaders. I notice that it sniffed packets but I couldn’t extract anything like you showed above. I would love to know how you got all that information.

  • Collin Cerbus

    Who cares? If you really want someones myspace password, there are easyer ways of getting it then google video.

  • Just another guy

    Sounds to me this is more a problem with the shitty virus ridden design of myspace. I dont see how this is googles fault.

    I mean if i leave my doors open and then go on vacation, whose fault is it i get robbed ? Mine.

    Time for everyone to sack up and take responsibility.

  • Turtle

    Rabble Rabble Rabble. Who the hell is going to intercept your headers to, oh my gosh, change your sexual preference or something stupid like that on myspace. Hells bells, someone just destroyed my dainty social life by deleting all of my friends. Guess it’s time to get a pair and finally cut down the tracks.

    SSL, believe it or not, puts a fairly heavy burden on front end servers, especially when the operation is the size of google. It’s not like they are sending credit card numbers in plain text. I do not believe that google slipping your passwords that are never encrypted to begin with on other sites through the tube in plain text is really a security risk. If someone is that paranoid and worried that they are being snooped on they should be using TOR anyway, where your traffic is only in plain text at the exit node and is onion routed to God knows where on the way to it’s destination.

  • Turtle

    But then again, I’m a complete idiot.

  • ktan91

    …. And what is your point? Only you and google can see it… What man in the middle? A guy sniffing your wifi? He can find way more valuable information. Its being posted to google.. to share it on myspace…..

  • kevin

    To “just another guy”: point that is being made is that the information that is being passed by google is not encrypted. this is dangerous, and is not the responsibility of myspace, or any other site for that matter.

    in the end submit forms which request sensitive information such as usernames and passwords should all be posting information over an encrypted channel.

  • Acronyms

    Nothing to worry about

  • OffBeatMammal

    This isn’t a Google problem – they’re just calling the Myspace login capability. The fault lies with yspace not securing (and enforcing) the login itself.

    Others have pointed it out before:

    IMO it exposes two reasons to be worried
    1/ How many people use the same password on Myspace as they use on their email account (or elsewhere)? – in one hit an unethical person would have access to both
    2/ How many email addresses are sitting in plaintext on proxy servers just waiting for a spammer to snaffle them up and start selling viagra to them?

    Because the login is not SSL encrypted there are a number of vectors to allow access to the information… some of which could be enabled by someone running a rouge hotspot in a Starbucks, airport or college campus through to someone trawling an ISPs proxy logs (with an automated filter looking specificqally for the login page and gathering the POST data off it… not too hard)

    Myspace are NOT the only site to have this weakness, and hopefully they’re learning from the lesson and tidying up right now. With any luck the lesson won’t go un-noticed by other sites with the same flaw (using a nickname rather than email as login is a better idea, encouraging people to make up strong, site relevant passwords is another) and this is the last time a high profile site will make the mistake

  • Motorcycle Guy

    This is kind of moot as myspace doesn’t use https anyway. I think they only use it on registration.

  • David Spark

    It may seem innocuous stealing your Google login. I know we all probably have both secure and insecure passwords. And we use our insecure passwords for things like subscriptions on Who cares who’s reading my news?

    Still, collecting this kind of stuff can begin to compromise your identity online. Someone could post something on the website using my name.

    Given the topic of this discussion, you might be interested in a review of a new identity theft monitoring service called It’s available on the Security Dreamer blog.

    I’m working with Steve Hunt, author of SecurityDreamer, a site devoted to reviewing and analyzing physical and IT security.

    You can read it here:

  • josh

    This isn’t good, but if everyone has a unique Myspace Layouts then what could go wrong?

  • fantaisa

    love ya girl see ya

  • impact

    You should try CustomizeGoogle Firefox Extension. It can enable SSL connection to Google services. You can find it on this site:

  • freid

    i think it be ok its there falt bicth fuke yall ok

  • freid


  • Conor

    Get 25 bucks for free!

    Sign up @ revolution money exchange

  • edgar

    how open wit out passwore

  • laura frost

    i tryed to sign in but it didnt let me lolz

  • miz inderpendant

    lolz hi ppz
    u all ok?
    xx miz imderpendant xx

  • miz inderpendant

    lolz lovs ya all bye xx lil miz xx

  • cinthia ramirez

    log in to my myspace.

  • ledinhquan