Well yesterday was hell. Google has publically stated that they would preffer it if people tell them about their vulnerabilities directly (really? No way!). Yes, I am fully aware of Google’s security email alias, no need to forward it to me, I intentionally did not use it in the first place. I’m happy that they took the XSS vulnerability seriously, and I am disturbed that they and many other so-called security experts are shrugging off the redirector issues as if they are not worth talking about.
First, let me cut and paste and email I wrote to one of the guys on one of the lists (edited for readability):
Y2K was by design (to save space) that didn’t make it less of a bug. You’re right, they would take XSS seriously, but that does not mean redirection is okay. It’s probably okay in a site that gets no traffic, because it is not a trusted application. Google is trusted (as we’ve seen that’s probably not always a good idea). If you see a URL with http://www.google.com/… in it, you are far more likely to trust it
than some random IP address, right? Do you inspect the full URL and decode it prior to going there? If you do, I salute you, but you make up a vastly paranoid minority.
On the other end of that redirection lies a phishing site, with viruses/trojans/keyloggers so that even if the poor user knows better they are infected anyway. Google wants to track it’s users - not surprising for an advertising company - but that shouldn’t introduce trust issues into the application. Whitelisting could seemlessly integrate into the application (breaking nothing, but increasing load, certainly). Adding checksums would break functionaly but would probably cost less. Either way, redirects, by design or by accident, are a trust
issue in applications. We’re not talking a theoretical scenario either.
Google has already been used as a phishing redirector:
How quickly people forget, and this was only a few months ago! How did they fix the problem? They broke the chained redirect:
But left the underlying redirect:
Clearly they are aware of the problem, but they are only putting band-aids over the real issue. Is tracking your users worth introducing holes that phishers can exploit? Clearly even Google sees this as an issue or they wouldn’t have put the above “fix” in place. They just don’t want to fix it correctly because it would impact their ability to track your usage of their site. I don’t blame Google, it’s easier to
monitize it’s user base if it knows everything about them.
Just because Google is a great toolkit for phishers doesn’t diminish their value, it’s just a risk you take when you view their site - which is no different than any other site of the same size (and user trust) and with the same issues. To my knowledge no one was able to exploit the XSS hole I disclosed yesterday, and now it is closed. On the other hand, the redirector that was exploited by many phishing sites is still
open months later.
Look, I don’t hate Google, I just think Google acts with a sort of misguided moral impunity. I don’t want to get into an ethical diatribe, because that is not what this website is about, but allowing vulnerabilities to exist (phishing attacks) through your application (redirector) for the sole purpose of monitizing the application itself (it’s cheaper not to fix it and it’s better to track your users with) == evil. Yes, it has all sorts of uses, as does XSS, that doesn’t make it okay (the most inane argument I’ve heard is that the redirector helps remove page rank to sites you don’t want to give page rank to - uh… no, that’s what they invented rel=nofollow for). Business is evil. I don’t mind it. In fact, I embrace it. Free market economics is what makes the world go round. I’m all for it.
Further, other companies have had the same issue, and they have indeed fixed the problem. DoubleClick was hit with the same thing, they fixed it using a whitelist approach. Everyone else in the industry has figured this out, Google has the best and the brightest, supposedly, and they should figure it out too. Or have they? Again, this isn’t an academic exercise, this is an economics exercise and it’s better for their company to keep it around, except for when annoying guys on the Internet make a stink about it - I get that, trust me.
Okay, that was the bad, now for the good. Google was very expeditious in fixing the hole (somewhere hovering around 23 hours, although I didn’t get an exact time from anyone so that’s a guess). I was also pointed to a few interesting articles. The first was a link to a Foundstone (a great security company in my mind, btw) training of web application security techniques for Google’s QA department. The good news is that they used the XSS Cheat Sheet to explain how to find and fix cross site scripting vulnerabilities. The not so good news (for me, and for Google employees) is that the tape cuts out right as they start explaining it’s use. So anyone watching the tape would miss it’s value in the auditing process. Is a camera man to blame for the security miss? Wouldn’t that be amusing?
More good news, it appears this was widely seen inside Google, as both the PR department issued a press release about it, as well as the likes of Matt Cutts acted as an on-call responder (I’m actually a little flattered, as I think Matt Cutts is a hell of a guy and probably too good for the company he works for).
I’ve recieved a number of phone calls, dozens of emails, a dozen or so posts, ZDnet picked up the story, News.com did too… all in all was it worth it? No way! The economics of me going Full Disclosure just isn’t there (as I said, I embrace free economy and the ROI on this just isn’t there). So what to do? Do I email Google security in the future and test the roulette wheel of if and when they will fix issues, do I just sit on it and ignore the problem paving the way for future exploits, or maybe give it to someone else to disclose and save myself the annoyance of dealing with Google zealots? All I do know is this is the last post I’m doing about Google’s XSS woes for a while. End of story.
Now their SEO (search engine optimization) woes… THAT is another story.