Google has made a name for itself by searching the Web, but securityresearchers doing their usual search for vulnerabilities have found flaws inthe company’s software that could allow alterations of search results orassist in the malicious solicitations for information known as phishing.
Google spent the first part of the week responding to a 2-year-old vulnerability posted to popular security site Bugtraq by JimLey, a security researcher. After Google indicated it had fixed the issue, UK firm Netcraftannounced another, similar vulnerability, which has also been addressed,according to Netcraft.
The vulnerabilities, which involved the way the Google service generatedWeb pages without ensuring their legitimacy, could have allowed bogus sitesto show up in the Google search results.
Those phony sites are the basis ofincreasingly serious phishing attacks, which involve tricking users intoproviding personal and financial information on official-looking sites.While they have been addressed, the search engine security holes might be asign of Google’s coming challenge to keep its searches safe from attack asit adds new features and functionality, such as a desktop search capabilitythat could have made this week’s security issues more serious.
Netcraft praised Google for its faster response to the second, similarsecurity issue, but also indicated the weaknesses could have resulted insignificant attacks by using Google’s own name and reputation.
“Google has fixed a phishing vulnerability that was discovered byNetcraft on Wednesday,” a statement on Netcraft’s site said Friday. “Googlenotified Netcraft that they had closed the vulnerability today at 06:30 BST,making this less-than-two-days response much faster than the two yearsreported by Jim Ley when he discovered a separate but similar bug.”
Netcraft said both vulnerabilities could have allowed fraudsters toinject content onto Google’s Web site, making it appear as thoughpublished by Google.
“This is a very effective form of phishing, as people are more likely totrust content if it appears to be hosted on a familiar domain,” Netcraftsaid.
Lesson in Liability
Webroot vice president of threat research Richard Stiennon toldTechNewsWorld that the security problems with the popular Google search enginewere partly symptoms of its success.
“Especially with a super-popular, almost ubiquitous online application,they’re inevitably going to end up having vulnerabilities,” Stiennon said.
The security analyst indicated that the key to the security dilemma is response, as Microsoft has found dealing with Windows vulnerabilities.
“The lesson learned here is if you’re the owner of an application orservice, you have to respond to every vulnerability, whether or not it’sexploited.”
Respond or Recede
There were no reported exploitations of the holes, and although some –including Jim Ley, who found the first vulnerability — criticized Google’sapproach to the issues as inadequate, Stiennon said the company had handledthe problems appropriately so far.
“This is new for them,” he said.
Stiennon also said that as Google moves beyond its Internet search roots andbegins creating more applications, such as its Desktop Search, it will needto stay focused on security and response.
“If they don’t respond quickly enough, the repercussions will teach themthat they have to do that,” he said.
Proof of Python
While Google has risen in prominence and popularity, the details of itssearch software, even though it is open source, are largely unknown to outsiders.This week’s security issues, however, appear to have provided more insightinto how Google operates.
Netcraft said the newer vulnerability that it had uncovered was in theapplication used to search Google’s own site and was on a host site that isnow unreachable. Searches now reportedly run from the parent google.com siteinstead, Netcraft said.
Netcraft also said that while confirming Google’s fix to the vulnerability ituncovered, it had found another application error that revealed fragments ofsource code, file structures and logic behind “the mysterious searchbehemoth.” Netcraft said it reported the discovery to Google, but was unsureof its implications.
“At a glance, it is not clear whether the Web application stack tracewould be useful to an attacker,” Netcraft said. “However, it does confirmthe widely held belief that Google are users of the Python programminglanguage.”
Improvement and Privacy
IDC analyst Sue Feldman told TechNewsWorld that despite concerns thatGoogle’s new desktop PC search could endanger systems and user privacy, thesearch company actually works to avoid tracking searches and users of itsproducts.
Referring to the reportedexposure of Google code, Feldman predicted a quick clampdown by the company.
“It is interesting that some of their source code was apparentlyavailable,” Feldman said. “I’ll bet it’s not anymore.”