Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/18/2006
08:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

What's Wrong With Google?

New vulnerability in its Public Search Service is the latest in a series of security headaches for Google

Google has come up with a temporary fix that prevents attackers from exploiting a newly discovered vulnerability in its Public Service Search. The potential exploit lets an attacker place a fake Google sign-in page on Google's actual servers.

Cory Altheide, security manager for Google, said in Google's Webmaster Central blog on Friday that Google has temporarily disabled logins on the service and is working on a permanent fix. So Public Search Service, which is aimed at universities and nonprofits, for now is closed to new signups.

But the glitch is just the latest in a series of security problems that have plagued the search engine firm of late. In the past few months, Google has been the victim of phishing scams on Gmail, toolbar problems, and a trojan that offered Google "updates" but instead made its victims bots. (See Google Toolbar Bug Warns Against Changing Search Engine Default and New Trojan Offers Google Update.) Google's search engine, too, has been abused by would-be attackers searching for vulnerabilities to exploit.

This latest phishing vulnerability, meanwhile, is bolder than most phishing scams because an attacker can place his fake page on the actual Google service and steal usernames and passwords for real Google services. Google's Altheide says in the blog the company knows of no exploits of the vulnerability thus far, "and this service represents an extremely small portion of searches."

So what's causing this wave of security woes at Google? Much of the problem lies in Google's open API model, analysts say. While Google's APIs have helped spread the search engine's popularity, they also leave it open to security weaknesses. "Whenever you have developers being able to create their own search APIs and maps, they can do wacky things," says Charlene Li, an analyst with Forrester Research. "They are a big fat target out there... The APIs make them even more potentially vulnerable."

Richard Stiennon, president of IT-Harvest, agrees. Attackers are deploying Google's APIs, too, he says, as well as using Google to search for potential software vulnerabilities they can exploit. "There's a well-known technique right now where you can search on a security PHP script," for instance.

Google has traditionally had a clean security record, mostly because it mainly provided search capabilities. Now the company is offering client-side, custom search, and email apps, which open it up to security holes: "They had very good security because they were giving you this tiny window into their server pile, and it was extremely well-protected," says Gary McGraw, CTO for Cigital. "The more stuff they stick out there on clients, the more they are going to suffer from this kind of attack."

And that means Google will have to make some big-time changes to its security operations and approach, analysts say.

"As a big application provider, Google should be vigilant when launching new capabilities," Stiennon says.

Google's woes are similar to those of Microsoft in its early days. "Google's concentration is time-to-market, much like Microsoft's was a generation ago," says David Aitel, president of Immunity.

"I think we'll probably see a corresponding security curve at Google, starting with 'What is security?' to 'We should sue these guys' to 'We should hire these guys.' Right now we're in the 'What is security' phase," Aitel says. "Progress along this curve will probably be driven by Google's need to sell into the enterprise market, much like Microsoft's was."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Google (Nasdaq: GOOG)
  • Cigital Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
    Nicole Ferraro, Contributing Writer,  8/3/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-15820
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
    CVE-2020-15821
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
    CVE-2020-15823
    PUBLISHED: 2020-08-08
    JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
    CVE-2020-15824
    PUBLISHED: 2020-08-08
    In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
    CVE-2020-15825
    PUBLISHED: 2020-08-08
    In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.