Warning: Google Video Could Be Used To Hack Your Password at CompuWorld

Translate To:

[code via DI]

Flash Updates

Making Of

MP3

Tips Tricks Hacks

Optimize uTorrent Settings
Fantastic FREEBIES
Hacking Tips To Be Safe
Get Back 'Folder Options'
Capture Screenshots In Windows Media Player
Best Anti Virus
Checking Processor Speed
Computer Keeps Restarting
Orkut Scraps As RSS
Cheapest Data Recovery
Easy Fast Uploading
Convert Video Formats
Hidden Tool In XP
Secure Your Network
Notepad Alternative

Google Tips

Top 10 Ways To Improve Your PageRank
Search Google Without Ads
Google Advanced Search
Hidden Google Pages
10 Google Myths
FREE Stuff Via Google
FREE Torrent Files Via Google

Firefox & IE Tweaks

17 Firefox Extensions For Bloggers
Fullscreen in Firefox
20 Firefox Extensions
Preview Tabs In Firefox
Firefox Search Result In New Tab
Run Google Talk In Firefox Sidebar
Speed Up Internet In FireFox
Increase Number Of Simultaneous Downloads In IE7

Vulnerabilities Found

Internet Explorer 7 Flaw
Use Google Video To Hack Password
YouTube Could Be Used To Hack Computer
Yahoo Messenger 8.0+ Vulnerability

A Note About

Parental Control
Vista Short Review
Burning Laptops
To Imporve Eye Sight, Play Games!

Reviewed

NoHeat's Rank Checker
Fake Name Generator
Grafpup 2.0 for Linux
Mac OS X vs Vista
Vista Flavors
Centrino Duo
DivShare's Power Uploader

Warning: Google Video Could Be Used To Hack Your Password

This Article Is Sponored By You! | Tuesday, June 12, 2007 by Salman Siddiqui | Comments
I am now blogging on my self hosted blog CompuWorld and started another blog of mine the Senorita

Google Video could be used to learn the username and password of the users who post videos on there MySpace accounts. This is possible as Google uses http instead of https in the URL. A user posted this in digital points forum. This is what he posted:

When a friend sent me a link to this rather boring video http://video.google.co.uk/videoplay?...85184878490822 I immediately noticed the 'Email - Blog - Post to Myspace' link on the right side. As any curious person would do I decided to check it out to see how Google has integrated with MySpace.

So after clicking I was greeted with the following popup http://video.google.co.uk/blogpost?d...22&siteindex=3 and immediately noticed that the url of it was http, and not https. An insecure form... So I figured it must be posting the login details to a https url, so I pulled out live headers and this is what I got:

http://video.google.co.uk/blogpost

POST /blogpost HTTP/1.1
Host: video.google.co.uk
User-Agent: Mozilla/5.0 (Windows; U;
Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+
xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: http://video.google.co.uk/blogpost?d...22&siteindex=3
Content-Length: 42
Cookie: PREF=ID=26c938172fc51030:TM=1178041215:
LM=1138046118:S=Bw_pBCzx-opEyR3s; sloc=en_GB
Pragma: no-cache
Cache-Control: no-cache
req=login&name=myusername
&pass=mypassword&site=MySpace

In short this users find says that Google is passing private information which includes MySpace, LiveJournal, Blogger, and TypePad login details over insecure channels. And since Blogger accounts sometimes use Google Accounts for login, such a flaw could expose a user’s GMail, Google AdWords, Google AdSense, and maybe even Google Checkout information (unless this information is encrypted).

The private and sensitive information is being passed without SSL, which is a basic and common step in the Internet security process.