Though the New Years holiday was a long vacation for many,
it was a long work weekend for those in Google’s security
operations.
A flaw was reported and fixed over the weekend, and there are
allegations in the wild that a new crop of security issues may still exist.
Heather Adkins, information security manager at Google, said in a statement
e-mailed to internetnews.com that over the holiday weekend Google was
notified of a vulnerability that spanned multiple Google products.
“We were first notified that this issue affected Google Video and fixed it
within a few hours of receiving the report,” Adkins stated. “We were then
notified that the same issue affected other Google products. The problem
with the other products was resolved within 24 hours of the second report.
To our knowledge, no one exploited the vulnerability and no users were
impacted.”
The vulnerability, if exploited, could have allowed Google users’ Gmail contact
lists and other information to be exposed to malicious attackers. Adkins noted that the vulnerability related to how Google uses certain JSON (JavaScript Object Notation)
“The fix we employed made sure the objects could not be abused,” Adkins
said. Google engineer Matt Cutts wrote in a blog that Google fixed the JSON
vulnerabilities with a number of different approaches.
“On some of them, we immediately fixed the code to properly stop
JavaScript,” Cutts wrote. “On others, the urls were blocked until the next
push of that service will happen.”
Cutts noted that since the issues were server side, as Google’s applications
are Web-based, the fixes were deployed much faster than they would have been had the vulnerabilities appeared client-side.
“Even this situation (where several Google properties needed to be changed)
yielded a much faster fix than patching so many client-side applications,
and much of this was happening on New Year’s Eve and New Year’s Day when
most normal people are sleeping off the night before,” Cutts wrote.
Google has a solid track record of fixing vulnerabilities rapidly,
especially of late. In mid-December Google moved quickly ahead of a weekend to fix an alleged flaw in its money-making AdWords
solution.
In that case the security researcher alerted Google before the
vulnerability was publicly disclosed, a move that Google applauded.
Responsible disclosure is something that Google’s Adkins is certainly very
keen on. “We strongly encourage anyone who is interested in researching and reporting security issues to follow responsible disclosure practices, including giving vendors ample time to respond to reports,” Adkins commented.
“Responsible disclosure allows companies like Google to keep users safe by fixing vulnerabilities and resolving security concerns before they are brought to the attention of the bad guys.”
There are currently perhaps two other issues lurking in the security shadows
for Google. In one particularly active thread in a Google Groups discussion
list, posters have alleged that their Gmail e-mails have gone missing or have
been deleted. Google apologized in the thread for any inconvenience the issue may be causing.
“Regretfully, a small number of our users — about 60 — lost some or all of
their email received prior to December 18th,” Google spokesperson Courtney
Hohne told internetnews.com. “Once we found out about this issue, we
worked day and night to confirm that only a few accounts were affected and
to do whatever we could to restore as much of the users’ accounts as we
could.”
“We also reached out to the people who were affected to apologize and to
work with them to restore the email from any personal backup they might
have,” Hohne added. “We know how important Gmail is to our users – we use it
ourselves for our corporate email. We have extensive safeguards in place to
protect email stored with Gmail and we are confident that this is a small
and isolated incident.”
Security research Rajesh Sethumadhavan posted on another security mailing
list that Google’s “blacklist” of phishing URLs was now publicly
accessible.
Google’s Safe Browsing extension is built into the Google
Toolbar and integrated into Mozilla Firefox 2.0. Safe Browsing validates
URLs against a constantly updated list of known phishing URLs. The problem
apparently is that Google may also be catching a bit too much information.
“I just played around a bit with those lists and as it seems, Google did a
splendid job, even capturing some people’s login data,” a poster noted in
response to Sethumadhavan.