Google on Security Alert

Google on Security Alert

Though the New Years holiday was a long vacation for many, it was a long work weekend for those in Google's security operations.

A flaw was reported and fixed over the weekend, and there are allegations in the wild that a new crop of security issues may still exist.

Heather Adkins, information security manager at Google, said in a statement e-mailed to internetnews.com that over the holiday weekend Google was notified of a vulnerability that spanned multiple Google products.

"We were first notified that this issue affected Google Video and fixed it within a few hours of receiving the report," Adkins stated. "We were then notified that the same issue affected other Google products. The problem with the other products was resolved within 24 hours of the second report. To our knowledge, no one exploited the vulnerability and no users were impacted."

The vulnerability, if exploited, could have allowed Google users' Gmail contact lists and other information to be exposed to malicious attackers. Adkins noted that the vulnerability related to how Google uses certain JSON (JavaScript Object Notation) (define) object within some of its product code.

"The fix we employed made sure the objects could not be abused," Adkins said. Google engineer Matt Cutts wrote in a blog that Google fixed the JSON vulnerabilities with a number of different approaches.

"On some of them, we immediately fixed the code to properly stop JavaScript," Cutts wrote. "On others, the urls were blocked until the next push of that service will happen."

Cutts noted that since the issues were server side, as Google's applications are Web-based, the fixes were deployed much faster than they would have been had the vulnerabilities appeared client-side.

"Even this situation (where several Google properties needed to be changed) yielded a much faster fix than patching so many client-side applications, and much of this was happening on New Year's Eve and New Year's Day when most normal people are sleeping off the night before," Cutts wrote.

Google has a solid track record of fixing vulnerabilities rapidly, especially of late. In mid-December Google moved quickly ahead of a weekend to fix an alleged flaw in its money-making AdWords solution.

In that case the security researcher alerted Google before the vulnerability was publicly disclosed, a move that Google applauded.

Responsible disclosure is something that Google's Adkins is certainly very keen on. "We strongly encourage anyone who is interested in researching and reporting security issues to follow responsible disclosure practices, including giving vendors ample time to respond to reports," Adkins commented.

"Responsible disclosure allows companies like Google to keep users safe by fixing vulnerabilities and resolving security concerns before they are brought to the attention of the bad guys."

There are currently perhaps two other issues lurking in the security shadows for Google. In one particularly active thread in a Google Groups discussion list, posters have alleged that their Gmail e-mails have gone missing or have been deleted. Google apologized in the thread for any inconvenience the issue may be causing.

"Regretfully, a small number of our users -- about 60 -- lost some or all of their email received prior to December 18th," Google spokesperson Courtney Hohne told internetnews.com. "Once we found out about this issue, we worked day and night to confirm that only a few accounts were affected and to do whatever we could to restore as much of the users' accounts as we could."

"We also reached out to the people who were affected to apologize and to work with them to restore the email from any personal backup they might have," Hohne added. "We know how important Gmail is to our users - we use it ourselves for our corporate email. We have extensive safeguards in place to protect email stored with Gmail and we are confident that this is a small and isolated incident."

Security research Rajesh Sethumadhavan posted on another security mailing list that Google's "blacklist" of phishing URLs was now publicly accessible.

Google's Safe Browsing extension is built into the Google Toolbar and integrated into Mozilla Firefox 2.0. Safe Browsing validates URLs against a constantly updated list of known phishing URLs. The problem apparently is that Google may also be catching a bit too much information.

"I just played around a bit with those lists and as it seems, Google did a splendid job, even capturing some people's login data," a poster noted in response to Sethumadhavan.

By Sean Michael Kerner Internetnews.com