Translate To:


[code via DI]

Flash Updates

Subscribe By MailE-Mail Address:

Making Of

MP3

Tips Tricks Hacks

Google Tips

Firefox & IE Tweaks

Vulnerabilities Found

A Note About

Reviewed

Warning: Google Video Could Be Used To Hack Your Password

This Article Is Sponored By You! | Tuesday, June 12, 2007 by Salman Siddiqui | Comments
I am now blogging on my self hosted blog CompuWorld and started another blog of mine the Senorita


Google Video could be used to learn the username and password of the users who post videos on there MySpace accounts. This is possible as Google uses http instead of https in the URL. A user posted this in digital points forum. This is what he posted:


When a friend sent me a link to this rather boring video http://video.google.co.uk/videoplay?...85184878490822 I immediately noticed the 'Email - Blog - Post to Myspace' link on the right side. As any curious person would do I decided to check it out to see how Google has integrated with MySpace.

So after clicking I was greeted with the following popup http://video.google.co.uk/blogpost?d...22&siteindex=3 and immediately noticed that the url of it was http, and not https. An insecure form... So I figured it must be posting the login details to a https url, so I pulled out live headers and this is what I got:

http://video.google.co.uk/blogpost

POST /blogpost HTTP/1.1
Host: video.google.co.uk
User-Agent: Mozilla/5.0 (Windows; U;
Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+
xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: http://video.google.co.uk/blogpost?d...22&siteindex=3
Content-Length: 42
Cookie: PREF=ID=26c938172fc51030:TM=1178041215:
LM=1138046118:S=Bw_pBCzx-opEyR3s; sloc=en_GB
Pragma: no-cache
Cache-Control: no-cache
req=login&name=myusername
&pass=mypassword&site=MySpace


In short this users find says that Google is passing private information which includes MySpace, LiveJournal, Blogger, and TypePad login details over insecure channels. And since Blogger accounts sometimes use Google Accounts for login, such a flaw could expose a user’s GMail, Google AdWords, Google AdSense, and maybe even Google Checkout information (unless this information is encrypted).

The private and sensitive information is being passed without SSL, which is a basic and common step in the Internet security process.

Related:
Warning: YouTube Could Be Used To Hack Your Computer
Google Desktop Vulnerable To Attack
Search Google Without Google Ads
Awesome Hidden Google Pages

Technorati Tags: google hack

Labels: ,


My Mom Hates Me Blogging!Will You Help Me Show Her That I Am Good At It...Please?


==========Your Comments==========

>>>>>>>Click Here To Leave Your Precious Comments.<<<<<<<



“This Article”

Recently Published Articles

Warning: YouTube Could Be Used To Hack Your Comput... - Posted on Tuesday, June 12, 2007

Watch Out Paris, Britney Another Celebrity Site Wi... - Posted on Tuesday, June 12, 2007

Microsoft Windows Vista Goes Spanish - Posted on Monday, June 11, 2007

Now A Church Sues Sony - Posted on Sunday, June 10, 2007

Comparison Of The Best Anti Viruses Available - Posted on Sunday, June 10, 2007

Want To Bet On Google's Next Move - Posted on Saturday, June 9, 2007

Google Did Not Ignore Your E-Mail - Posted on Friday, June 8, 2007

Hindu Group Making Software To Partly Block Orkut - Posted on Friday, June 8, 2007

IITk Website Hacked - Posted on Thursday, June 7, 2007

Great Collection Of 17 Firefox Extensions For Smoo... - Posted on Thursday, June 7, 2007

Moved

I am now blogging on my self hosted blog CompuWorld and started another blog of mine the Senorita

Money Makers


PPP Direct

Archives

Blogroll

Recent Comments