Google Gaps Leave Search Susceptible

Google (Nasdaq: GOOG) has made a name for itself by searching the Web, but security researchers doing their usual search for vulnerabilities have found flaws in the company's software that could allow alterations of search results or assist in the malicious solicitations for information known as phishing.

Google spent the first part of the week responding to a 2-year-old vulnerability posted to popular security site Bugtraq by Jim Ley, a security researcher. After Google indicated it had fixed the issue, UK firm Netcraft announced another, similar vulnerability, which has also been addressed, according to Netcraft.

Familiar Danger

The vulnerabilities, which involved the way the Google service generated Web pages without ensuring their legitimacy, could have allowed bogus sites to show up in the Google search results.

Those phony sites are the basis of increasingly serious phishing attacks, which involve tricking users into providing personal and financial information on official-looking sites. While they have been addressed, the search engine security holes might be a sign of Google's coming challenge to keep its searches safe from attack as it adds new features and functionality, such as a desktop search capability that could have made this week's security issues more serious.

Netcraft praised Google for its faster response to the second, similar security issue, but also indicated the weaknesses could have resulted in significant attacks by using Google's own name and reputation.

"Google has fixed a phishing vulnerability that was discovered by Netcraft on Wednesday," a statement on Netcraft's site said Friday. "Google notified Netcraft that they had closed the vulnerability today at 06:30 BST, making this less-than-two-days response much faster than the two years reported by Jim Ley when he discovered a separate but similar bug."

Netcraft said both vulnerabilities could have allowed fraudsters to inject content onto Google's Web site, making it appear as though published by Google.

"This is a very effective form of phishing, as people are more likely to trust content if it appears to be hosted on a familiar domain," Netcraft said.

Lesson in Liability

Webroot vice president of threat research Richard Stiennon told TechNewsWorld that the security problems with the popular Google search engine were partly symptoms of its success .

"Especially with a super-popular, almost ubiquitous online application, they're inevitably going to end up having vulnerabilities," Stiennon said.

The security analyst indicated that the key to the security dilemma is response, as Microsoft (Nasdaq: MSFT) has found dealing with Windows vulnerabilities.

"The lesson learned here is if you're the owner of an application or service, you have to respond to every vulnerability, whether or not it's exploited."

Respond or Recede

There were no reported exploitations of the holes, and although some -- including Jim Ley, who found the first vulnerability -- criticized Google's approach to the issues as inadequate, Stiennon said the company had handled the problems appropriately so far.

"This is new for them," he said.

Stiennon also said that as Google moves beyond its Internet search roots and begins creating more applications, such as its Desktop Search, it will need to stay focused on security and response.

"If they don't respond quickly enough, the repercussions will teach them that they have to do that," he said.

Proof of Python

While Google has risen in prominence and popularity, the details of its search software, even though it is open source, are largely unknown to outsiders. This week's security issues, however, appear to have provided more insight into how Google operates.

Netcraft said the newer vulnerability that it had uncovered was in the application used to search Google's own site and was on a host site that is now unreachable. Searches now reportedly run from the parent google.com site instead, Netcraft said.

Netcraft also said that while confirming Google's fix to the vulnerability it uncovered, it had found another application error that revealed fragments of source code, file structures and logic behind "the mysterious search behemoth." Netcraft said it reported the discovery to Google, but was unsure of its implications.

"At a glance, it is not clear whether the Web application stack trace would be useful to an attacker," Netcraft said. "However, it does confirm the widely held belief that Google are users of the Python programming language."

Improvement and Privacy

IDC analyst Sue Feldman told TechNewsWorld that despite concerns that Google's new desktop PC search could endanger systems and user privacy, the search company actually works to avoid tracking searches and users of its products.

Referring to the reported exposure of Google code, Feldman predicted a quick clampdown by the company.

"It is interesting that some of their source code was apparently available," Feldman said. "I'll bet it's not anymore."