21 noiembrie 2010

O fi adevărat ?!


TECHNOLOGY 

‘WHOA’: CAN YOUR GMAIL ADDRESS BE ‘HARVESTED’ IF YOU ARE LOGGED INTO GOOGLE?


Right now you are reading a story on The Blaze. I have no idea who you are and you probably like it that way. But what if had secret Managing Editor powers that allowed me to see your actual e-mail address whether you wanted me to or not?

You might consider that to be a “pretty big security hole.” The folks at TechCrunch sure do:
The creator of http://guntada.blogspot.com (don’t visit that site just yet) emailed us this morning to explain.
If you’re already logged in to any Google account (Gmail, etc.), and visit that site, he’s harvested your Google email. And proves it by emailing you immediately.
Michael Arrington includes a screen grab of the e-mail:
Arrington has some theories on how this is being done.  Read it here. But the import is clear: “The ability to harvest emails from anyone already signed into Google, not to mention just see exactly who’s visiting the site, is extremely valuable.”

http://www.theblaze.com/stories/whoa-can-your-gmail-address-be-harvested-if-you-are-logged-into-google/
*   *   *
UPDATE:

What is the exploit? We don’t know, and Google has yet to respond to us about it. We note that the site doing the exploiting is on Google’s own blogging platform. One developer we spoke with was confused as well, saying:
i have no idea what this is exploiting but there’s a decent chance it has something to do with Friend Connect and the way it passes data between iFrames (ie yes, it very well could be opensocial related). whatever is going on it’s an extremely serious security and privacy violation and i am confident google will address this in moments counted in minutes.
i can’t recall ever having seen anything like this on a major IdP’s website. it’s scary stuff.
If you insist on trying this yourself (hey, I did), the email to you will likely be in your spam filter.
This isn’t a particularly dangerous exploit, but it sure is something a lot of people would love to have on their own sites. The ability to harvest emails from anyone already signed into Google, not to mention just see exactly who’s visiting the site, is extremely valuable. See the second comment thread here for a related issue with App Engine a month ago.
Update: The site is now down. Here’s what it looked like:

Update 2: Email from Vahe, the man behind this:
Hi Mr. Arrington,
I see you have already shared the news. It’s good that google got it down, I really don’t want people to know about how that was done (if Google contacts I will definitely tell them – they just don’t answer my emails). Problem relies solely on Google.
Problem is I asked a lot of people, and most of them don’t really understand and care about this kind of things and big companies act like they all really protect our privacy and such, but they see that people don’t care and don’t do anything really.
Regards,
Vahe G. (Armenian 21yrs guy whom Google doesn’t wanted to even talk to)
Update 3: From Google: “We take potential security issues very seriously, and our team is actively investigating this one. We’ll share more information soon.” I suggest Google contact Vahe directly, he seems like he’d love to talk to them.
Update 4: Google says the issue is now resolved: “We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to security@google.com.”
get widgetminimize

Google image
Website: google.com
Location:Mountain View, California, United States
Founded: September 7, 1998
IPO: August 19, 2004
Google provides search and advertising services, which together aim to organize and monetize the world’s information. In addition to its dominant search engine, it offers a plethora of online tools and platforms including:… Learn More


5 comentarii :

Crystal Clear spunea...

Global governance trebuie sa stie TOT.
Mi se pare normal ca daca pun la dispozitie o platforma de comunicare sa stie si toata corespondenta fiecarui cont deschis.
Asa este logic

Riddick spunea...

Oficial, cică nu ar fi aşa... :)

Crystal Clear spunea...

I don't buy it :)))

Google e un server mai mare ,globalist

Riddick spunea...

Google s-a dat pe brazdă

http://riddickro.blogspot.com/2010/07/google-s-dat-pe-brazda.html

Crystal Clear spunea...

Google deschide office si in Romania.

Ca sa ne monitorizeze mai bine...


Citate din gândirea profundă a europeiştilor RO

Călin Popescu-Tăriceanu, 2008: "Vom da astăzi, în Parlamentul României, un vot istoric - votul pentru ratificarea Tratatului de reformă al Uniunii Europene. Pentru România este mai mult decât un moment festiv. Ratificarea Tratatului de reformă marchează o etapă. Spun acest lucru din două motive. Pe de o parte, este o primă etapă pe care noi am parcurs-o în cadrul Uniunii Europene, după aderarea de la 1 ianuarie 2007. Am avut şansa să contribuim la negocierea şi la construirea acestui Tratat, beneficiind de aceleaşi drepturi şi având aceleaşi obligaţii ca oricare altă ţară europeană. Este cel dintâi tratat european semnat de România, în calitate de stat membru al Uniunii Europene. Simbolic, este primul document al Europei extinse, negociat şi semnat în format UE 27. Pentru toate aceste motive, odată cu ratificarea de către Parlament, putem spune că este cel dintâi tratat european pe care România îşi pune efectiv amprenta, conform intereselor sale, nemaifiind în postura de a prelua ceea ce au negociat şi au decis alţii. Doamnelor şi domnilor senatori şi deputaţi, în urmă cu trei ani, prin votul dumneavoastră, România a ratificat Tratatul constituţional ["Constituţia UE", caducă], odată cu ratificarea Tratatului de aderare la Uniunea Europeană. Aşa cum ştiţi, Tratatul constituţional nu a putut intra în vigoare. Din fericire, aşa cum noi am susţinut în timpul negocierilor, inovaţiile din acest document au fost preluate în Tratatul de la Lisabona. Aceste inovaţii sunt un pas înainte faţă de tratatele europene în vigoare acum."

 

Postări populare: