Cenzic 232 Patent
Paid Advertising
web application security lab

Google disclosure fallout

Well yesterday was hell. Google has publically stated that they would preffer it if people tell them about their vulnerabilities directly (really? No way!). Yes, I am fully aware of Google’s security email alias, no need to forward it to me, I intentionally did not use it in the first place. I’m happy that they took the XSS vulnerability seriously, and I am disturbed that they and many other so-called security experts are shrugging off the redirector issues as if they are not worth talking about.

First, let me cut and paste and email I wrote to one of the guys on one of the lists (edited for readability):

Y2K was by design (to save space) that didn’t make it less of a bug. You’re right, they would take XSS seriously, but that does not mean redirection is okay. It’s probably okay in a site that gets no traffic, because it is not a trusted application. Google is trusted (as we’ve seen that’s probably not always a good idea). If you see a URL with http://www.google.com/… in it, you are far more likely to trust it
than some random IP address, right? Do you inspect the full URL and decode it prior to going there? If you do, I salute you, but you make up a vastly paranoid minority.

On the other end of that redirection lies a phishing site, with viruses/trojans/keyloggers so that even if the poor user knows better they are infected anyway. Google wants to track it’s users - not surprising for an advertising company - but that shouldn’t introduce trust issues into the application. Whitelisting could seemlessly integrate into the application (breaking nothing, but increasing load, certainly). Adding checksums would break functionaly but would probably cost less. Either way, redirects, by design or by accident, are a trust
issue in applications. We’re not talking a theoretical scenario either.
Google has already been used as a phishing redirector:
http://lists.virus.org/dshield-0602/msg00156.html
http://blog.eweek.com/blogs/larry_seltzer/archive/2006/03/05/8240.aspx
http://thespamdiaries.blogspot.com/2006/03/google-used-as-url-cloaking-device-in.html
http://www.docuverse.com/blog/donpark/EntryViewPage.aspx?guid=e08af74b-8b86-418c-94e0-7d29a7cb91e2
http://email.about.com/od/outlooktips/qt/et043005.htm
http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0511&L=security&T=0&F=&S=&P=15599
http://blogs.geekdojo.net/brian/archive/2004/10/14/googlephishing.aspx

How quickly people forget, and this was only a few months ago! How did they fix the problem? They broke the chained redirect:
http://www.google.com/url?q=http://www.google.com/url?q=http://www.google.com/url?q=http://ha.ckers.org/

But left the underlying redirect:

http://www.google.com/url?q=http://ha.ckers.org/

Clearly they are aware of the problem, but they are only putting band-aids over the real issue. Is tracking your users worth introducing holes that phishers can exploit? Clearly even Google sees this as an issue or they wouldn’t have put the above “fix” in place. They just don’t want to fix it correctly because it would impact their ability to track your usage of their site. I don’t blame Google, it’s easier to
monitize it’s user base if it knows everything about them.
Just because Google is a great toolkit for phishers doesn’t diminish their value, it’s just a risk you take when you view their site - which is no different than any other site of the same size (and user trust) and with the same issues. To my knowledge no one was able to exploit the XSS hole I disclosed yesterday, and now it is closed. On the other hand, the redirector that was exploited by many phishing sites is still
open months later.

Look, I don’t hate Google, I just think Google acts with a sort of misguided moral impunity. I don’t want to get into an ethical diatribe, because that is not what this website is about, but allowing vulnerabilities to exist (phishing attacks) through your application (redirector) for the sole purpose of monitizing the application itself (it’s cheaper not to fix it and it’s better to track your users with) == evil. Yes, it has all sorts of uses, as does XSS, that doesn’t make it okay (the most inane argument I’ve heard is that the redirector helps remove page rank to sites you don’t want to give page rank to - uh… no, that’s what they invented rel=nofollow for). Business is evil. I don’t mind it. In fact, I embrace it. Free market economics is what makes the world go round. I’m all for it.

Further, other companies have had the same issue, and they have indeed fixed the problem. DoubleClick was hit with the same thing, they fixed it using a whitelist approach. Everyone else in the industry has figured this out, Google has the best and the brightest, supposedly, and they should figure it out too. Or have they? Again, this isn’t an academic exercise, this is an economics exercise and it’s better for their company to keep it around, except for when annoying guys on the Internet make a stink about it - I get that, trust me.

Okay, that was the bad, now for the good. Google was very expeditious in fixing the hole (somewhere hovering around 23 hours, although I didn’t get an exact time from anyone so that’s a guess). I was also pointed to a few interesting articles. The first was a link to a Foundstone (a great security company in my mind, btw) training of web application security techniques for Google’s QA department. The good news is that they used the XSS Cheat Sheet to explain how to find and fix cross site scripting vulnerabilities. The not so good news (for me, and for Google employees) is that the tape cuts out right as they start explaining it’s use. So anyone watching the tape would miss it’s value in the auditing process. Is a camera man to blame for the security miss? Wouldn’t that be amusing?

More good news, it appears this was widely seen inside Google, as both the PR department issued a press release about it, as well as the likes of Matt Cutts acted as an on-call responder (I’m actually a little flattered, as I think Matt Cutts is a hell of a guy and probably too good for the company he works for).

I’ve recieved a number of phone calls, dozens of emails, a dozen or so posts, ZDnet picked up the story, News.com did too… all in all was it worth it? No way! The economics of me going Full Disclosure just isn’t there (as I said, I embrace free economy and the ROI on this just isn’t there). So what to do? Do I email Google security in the future and test the roulette wheel of if and when they will fix issues, do I just sit on it and ignore the problem paving the way for future exploits, or maybe give it to someone else to disclose and save myself the annoyance of dealing with Google zealots? All I do know is this is the last post I’m doing about Google’s XSS woes for a while. End of story.

Now their SEO (search engine optimization) woes… THAT is another story. :)

3 Responses to “Google disclosure fallout”

  1. nervox Says:

    Greetings
    I was following the comments on bugtrack and landed here.

    Google albeit they have a $hit load of money still don’t bother hiring ppl to check for vulnerability (or they are not doing they’re job ),and no no one has to notify any one about anything (unless mortal danger).
    I do believe that the author here did the right thing by doing FULL DISCLOSURE the way it should be done.
    Google(and othe rcompagnies ) should keep an eye on public mailling list and it is THEY’RE problem if they have security holes.
    And i find it inacceptable the way google choose wich issue should be handeld and the way they are, redirect still works and the way they choose to fix them.

    Kudos for you’re work.

    My 0.02 E
    Brgrds Nervox

  2. John Andrews Says:

    Don’t sweat it so much, eh? After I read through this, the isue in my mind was the value of full disclosure w/Google…and it’s muddy. Truth is, the issue was (is?) Google’s response and status. Don’t let the spin machine get you down!

    It got fixed because….. because….. because why? Because you exposed it and started a conversation about it. Good job. IF NOTHING ELSE somebody in Google is now responsible for promptly handling incoming direct disclosures. And awareness of phishing vulnerabilities using the Google brand? And Awareness of Google’s view of that problem? Much clearer now, thanks.

    Someone once asked, what price freedom?

  3. Matt Cutts Says:

    “On the other hand, the redirector that was exploited by many phishing sites is still open months later.”

    Given that tons of different internal groups at Google used this redirector for quite a while, it’s understandable that it took a little while to close this. But I believe that if you go to

    http://www.google.com/url?q=http://www.cnn.com/

    now you’ll get an interstitial page, and the page requires an active click to continue.

    I’m sure that over time Google will continue to close any open url redirection on the Google domain, but this url was the most-used, so I’m glad that we did close it.