They are not allowed to!
Maybe some of you have read RSnakes blog item about these Google files that were discovered and open to the public some days ago. I don't want to talk about that issue now but let me quote one statement of RSnake:
"Google has a responsibility to be better about this than most people. Why? Because they have more market share. The cannot mess up. They don’t have the right to.
If some tiny mom and pop web-store has this issue it’s bad. If Google has it, it could affect hundreds of millions of people. Sorry, that’s just not allowed."
Exactly that is what I thought a lot of recently. Big sites accountability to it's users. I'm certainly not an anti Google zealot as RSnake is but this is worth a thought anyway.
Now lets go back to security. As a matter of fact, Googles whole security model is based on not finding a single XSS vulnerability. Their Single Sign On implementation can be fully compromised by only one insufficiently sanitized input field. Thats why those guys are so fast in fixing such vulns as soon as any are disclosed. So one may assume that they are aware of the great danger.
Back in October 2006, Google bought YouTube. Pretty much the biggest social networking site with millions of users every day. Everyone is allowed to upload videos, to build groups and to have a public viewable profile.
YouTube in fact enjoys a very good reputation from the open public, except of a few copyright issues that occur from time to time but that's actually of no real significance.
Another popular social networing site is MySpace. In October 2005, the latter was infected by the Samy Worm, which became the first major web worm based on XSS vulnerabilities for it's propagation. Samy altered over a million of MySpace user profiles in one single night.
Unlike other types of worms, these web worms propagate on condition that a user interacts with them. So if a user opens an infected page, the worm will propagate and infect another page. That means to more users the exploited platform has, the better the worm will work. It grows exponentially.
Given that, Social Networking sites seem to be the best target due to their high traffic.
Now what would you think would run through all kind if media if such a worm was released on YouTube and not only infected the users profiles but also steal their login credentials plus those that they use to login at Googles services? That is all trivial work for a well versed attacker.
Trust me I am not kidding, that could happen any day and surely will if YouTube developers don't change the way they treat security. While researching, I identified dozens of vulnerabilities. Due to the high amount, I neither counted them nor did I prepare PoC's but it was about 20 to 25 reflective and around 10 persistent XSS vulnerabilities. Additionally it appears that CSRF is a foreign word to them.
I informed them about it but actually I do not expect an answer. Apparently they didn't learn anything from Samy.
Anyway, if that happened one day, THEN we would have a real problem.
3 Comments:
Nice article!
And you are exactly right about that. With Google also, they can't mess up. mainly due to their whole single signup system. -I think this will be exploited one day- it just begs for it. There are so many scenarios possible, like CSRFing adsense to Gmail detection, changing accounts and email addresses, the more connected the bigger the risks. I saw on sla.ckers (in full disclosure section) today that they have found a new GMail XSS hole.
No kidding, if this is implemented instantly, millions can loose all their accounts.
0x000000.com
Sure, hundreds of millions of users could loose their accounts. That would probably be what Google considers as worst case szenario, however that's only one thing.
The other way more interesting consequence will be the change of mind of avarage internet users. I mean, if someone who has no clue about all these things hears from the TV that Google has been compromised, he will automatically think that all websites are compromised by default because if even Google isn't secure, who is?
I agree that doesn't make much sense but for normal people it does, I think. So all these people would probably radically change the way they behave in the Web. They will feel very unsafe using eBay, Amazon or there bank accounts.
So by compromising Google's system you are also compromising Googles reputation, which is what their success is built on.
It makes you wonder if google considers the implications of security/insecurity when it buys out a company like youtube.
What precautions do they take when integrating one platform to another. Based on your research I would wager that it isn't much. But in reality, they're putting a lot at risk by merging these systems. Like you said, their reputation accounts for a lot of that market share RSnake was talking about.
There is a great injustice presented when large organizations
can mass-promote themselves as trustworthy entities, and not take responsibility when their insecurities victimize people.
*shrugs* i guess thats big business.
Post a Comment