Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/18/2006
08:30 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

What's Wrong With Google?

New vulnerability in its Public Search Service is the latest in a series of security headaches for Google

Google has come up with a temporary fix that prevents attackers from exploiting a newly discovered vulnerability in its Public Service Search. The potential exploit lets an attacker place a fake Google sign-in page on Google's actual servers.

Cory Altheide, security manager for Google, said in Google's Webmaster Central blog on Friday that Google has temporarily disabled logins on the service and is working on a permanent fix. So Public Search Service, which is aimed at universities and nonprofits, for now is closed to new signups.

But the glitch is just the latest in a series of security problems that have plagued the search engine firm of late. In the past few months, Google has been the victim of phishing scams on Gmail, toolbar problems, and a trojan that offered Google "updates" but instead made its victims bots. (See Google Toolbar Bug Warns Against Changing Search Engine Default and New Trojan Offers Google Update.) Google's search engine, too, has been abused by would-be attackers searching for vulnerabilities to exploit.

This latest phishing vulnerability, meanwhile, is bolder than most phishing scams because an attacker can place his fake page on the actual Google service and steal usernames and passwords for real Google services. Google's Altheide says in the blog the company knows of no exploits of the vulnerability thus far, "and this service represents an extremely small portion of searches."

So what's causing this wave of security woes at Google? Much of the problem lies in Google's open API model, analysts say. While Google's APIs have helped spread the search engine's popularity, they also leave it open to security weaknesses. "Whenever you have developers being able to create their own search APIs and maps, they can do wacky things," says Charlene Li, an analyst with Forrester Research. "They are a big fat target out there... The APIs make them even more potentially vulnerable."

Richard Stiennon, president of IT-Harvest, agrees. Attackers are deploying Google's APIs, too, he says, as well as using Google to search for potential software vulnerabilities they can exploit. "There's a well-known technique right now where you can search on a security PHP script," for instance.

Google has traditionally had a clean security record, mostly because it mainly provided search capabilities. Now the company is offering client-side, custom search, and email apps, which open it up to security holes: "They had very good security because they were giving you this tiny window into their server pile, and it was extremely well-protected," says Gary McGraw, CTO for Cigital. "The more stuff they stick out there on clients, the more they are going to suffer from this kind of attack."

And that means Google will have to make some big-time changes to its security operations and approach, analysts say.

"As a big application provider, Google should be vigilant when launching new capabilities," Stiennon says.

Google's woes are similar to those of Microsoft in its early days. "Google's concentration is time-to-market, much like Microsoft's was a generation ago," says David Aitel, president of Immunity.

"I think we'll probably see a corresponding security curve at Google, starting with 'What is security?' to 'We should sue these guys' to 'We should hire these guys.' Right now we're in the 'What is security' phase," Aitel says. "Progress along this curve will probably be driven by Google's need to sell into the enterprise market, much like Microsoft's was."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Google (Nasdaq: GOOG)
  • Cigital Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    FluBot Malware's Rapid Spread May Soon Hit US Phones
    Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
    Slideshows
    7 Modern-Day Cybersecurity Realities
    Steve Zurier, Contributing Writer,  4/30/2021
    Commentary
    How to Secure Employees' Home Wi-Fi Networks
    Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-24259
    PUBLISHED: 2021-05-05
    The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
    CVE-2021-24260
    PUBLISHED: 2021-05-05
    The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
    CVE-2021-24261
    PUBLISHED: 2021-05-05
    The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
    CVE-2021-24262
    PUBLISHED: 2021-05-05
    The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
    CVE-2021-24263
    PUBLISHED: 2021-05-05
    The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...