Posted in Shoddy Security

Young Armenian blogger discovers huge Google security hole

Kudos to Vahe G for once again reminding us why entrusting our user data to Google is a bad idea:

Facebook would probably just consider this a feature, but the rest of us will definitely consider this a big security hole. The creator of http://guntada.blogspot.com (don’t visit that site just yet) emailed us this morning to explain.

If you’re already logged in to any Google account (Gmail, etc.), and visit that site, he’s harvested your Google email. And proves it by emailing you immediately.

What Vahe did is use Google’s Blogger to create a blog (on BlogSpot) and then take advantage of a security vulnerability to harvest the email address of anyone signed in with a Google account. The harvesting was taking place just by visiting the blog in question. As proof, Vahe was sending messages to the harvested addresses urging the individuals who own those addresses to share a goo.gl shortlink pointing to the blog with friends.

After TechCrunch reported the exploit, Google took down the blog, and Vahe sent an email to TechCrunch’s founder, Mike Arrington, explaining the vulnerability:

Hi Mr. Arrington,

I see you have already shared the news. It’s good that google got it down, I really don’t want people to know about how that was done (if Google contacts I will definitely tell them – they just don’t answer my emails). Problem relies solely on Google.

Problem is I asked a lot of people, and most of them don’t really understand and care about this kind of things and big companies act like they all really protect our privacy and such, but they see that people don’t care and don’t do anything really.

Regards,
Vahe G. (Armenian 21yrs guy whom Google doesn’t wanted to even talk to)

That’s one incredibly smart guy.

Google’s response?

We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to security@google.com.

It’s telling that the issue only got addressed after it made it onto one of the most widely-read technology blogs in the world. By not catching these things earlier, Google is exposing its users to external harm. All the more reason not to have a Google account and not do business with Google at all.