Blog Archive

16 January 2007

AdSense coming to Google Apps for Your Domain?

Whilst playing with Google Apps for Your Domain the other night, I was wondering whether any more services were in the pipeline. Since it uses a similar approach to Google Accounts for its service login pages, I thought I’d see what I could find.

If you’ve not already seen my Google Account Service Names page, it contains a list of all known Google Account services along with the code used in the query string of various Google Account addresses. I’ve now added Google Apps for Your Domain service names to this page – and these are what I’ve found so far (using Google.com as the example domain):

So nothing new and exciting there then. We already knew about all of them, except for AdSense.

Does that mean they’re going to add AdSense to the available services? If so, I’m really not sure how this would be beneficial to users, other than making it easier for anyone hosting their site with Google Apps for Your Domain to include AdSense in their pages. Perhaps that’s the idea...

Update: 16 January 2007 (14:08)

Actually, this has been metioned before when Google Apps for Your Domain was updated a couple of months ago. Referring to customizing the start page, the instructions said:

Once published, you may sign up for AdSense for search to earn money from your start page.

However, I can’t find any reference to AdSense in my account or in the Google Apps for Your Domain Help pages when searching for [adsense] either.

Update: 19 January 2007 (17:10)
* Added Start page editor – pspc – to the list.

Update: 6 February 2007 (14:07)
** Added Google Spreadsheets (wise) and Google Writely (writely) added to the list. More...

Labels:


14 January 2007

Details of Google's Latest Security Hole

I’ve now received confirmation from Google’s Security Team that the latest vulnerability Philipp posted about has been fixed. After carrying out some investigations of my own, I believe this is the case – so I’m going to share with you what the problem was and how I was able to exploit it. In doing so, I hope to educate other developers about the potential flaws that can occur in growingly complex web applications.

In summary, I was able to create a page that was hosted on a google.com domain, which is something that should never be allowed to happen. Because of this vulnerability, I was then able to use a simple bit of code to steal someone else’s Google cookie and access their Google services.

 

Background

Earlier this month, Google announced that Blogger Custom Domains would allow you to host your own blog on the Blogger platform using your own domain name rather than a blogspot.com address.

Here’s how it should work:

  1. Buy your domain name – e.g. example.com
  2. Create a CNAME record that points your domain or subdomain to ghs.google.com – e.g. blog.example.com (see these Blogger Help and Google Help entries for more information on DNS settings and creating CNAMEs)
  3. Setup your blog using a blogspot.com address (if you’ve not already got one) – e.g. example.blogspot.com
  4. Enter your domain name in Blogger’s Custom Domain publishing settings – e.g. blog.example.com
  5. Any requests to example.blogspot.com would be redirected to blog.example.com where your blog is now being hosted by Blogger

Soon after this feature was announced, I realized that you could enter any domain name in Blogger’s Custom Domain publishing settings regardless of whether you owned the domain or had setup a CNAME to point to ghs.google.com. Since Blogger claims that “you don’t have to pay extra for hosting service” and Google promotes private registration (meaning your details are withheld from a WHOIS lookup) there’s no reliable way to verify whether the Blogger user actually owns the domain they’re entering.

Under normal circumstances, this isn’t a problem; entering a domain that doesn’t have its CNAME setup to point it to ghs.google.com would simply result in any requests to the blogspot.com address being redirected to the domain. And this is actually useful for anyone with a blogspot.com address who wants to move their blog away from Blogger’s servers by using either FTP-publishing or another blog service altogether. (For example, ruscoe.blogspot.com now redirects to ruscoe.net which is hosted on my own server.)

This could only cause problems if you were to enter a domain name that already had a CNAME pointing to ghs.google.com (or another address that’s pointing to the same place). But what are the chances of being able to find a domain that’s already setup like that? Well... it was easier than you might think.

Proof of Concept Implementation

In the Google Blogoscoped Forum, Art-One had reported that he’d seen a Japanese blog being hosted at ghs.google.com (which is the same domain used by Custom Domains in Google Apps for Your Domain).

Whether this was done intentionally or completely by accident, someone had entered ghs.google.com as their Blogger Custom Domain. Since no blog was setup at this address, Blogger had allowed them to host their blog there. And that’s when the alarm bells started to ring. This would allow me to host my own content on the google.com domain too...

Since I keep a close eye on Google subdomains, I knew that ghs.google.com wasn’t the only google.com domain that pointed to that location and I immediately claimed ghs.l.google.com as my custom domain. (Google quite often has *.google.com subdomains setup as CNAMEs for their *.l.google.com equivalents.)

As any web developer will know, a page hosted at an address like ghs.l.google.com is perfectly capable of reading and writing google.com cookies, which meant that when Philipp visited my “proof of concept” page hosted on the ghs.l.google.com domain, I was able to “borrow” his google.com cookie data. This can be easily achieved using some simple JavaScript that would read the cookie and place the data into a hidden form field element. The form could then be automatically submitted to another server which would be hosting a server-side script capable of logging the form data to a database, text file or send it in an email.

Once the cookie data had been received, there are a number of methods which could be used to write data to a google.com cookie – meaning the hacker would be able to have the same google.com cookie data as you, giving them access to your Google Account and services.*

Problem Fixed

The Google Security Team was informed of the issue before I’d even written my proof of concept script to test on Philipp. Around three and a half hours later, Google had deleted my test page and were redirecting both ghs.google.com and ghs.l.google.com to Blogger’s standard “blog not found” page. (They’re now redirecting both addresses to the Google.com home page.)

Later that evening, I received this response:

Thank you for reporting this issue to us. We take the security of our users and their information very seriously. We wanted to let you know that we addressed this problem with expediency and have taken steps to ensure it cannot occur again.

It seems that Google followed my advice and fixed the problem by disallowing any Google domains to be entered as a Blogger Custom Domain. Trying to enter a Google domain in this field will return an error stating, “Another blog is already hosted at this address.” (Theoretically, this is overkill because the domain would also need to be pointing at ghs.google.com – but it’s always better to be safe than sorry!)

Avoiding Vulnerabilities

There are a number of ways to make sure you – as a user – don’t get caught by a security loophole like this. Some people would say you should only visit pages you trust – but who doesn’t trust a page on the Google.com domain? Others might say the answer is to disable JavaScript in your browser – but then you wouldn’t be able to use websites and applications that rely on JavaScript being enabled. You could also turn off or clear your cookies – but that could prevent many services that require a login from working. In this case, my proof of concept script would have failed if the user had either signed out of their Google Account, cleared their cookies or disabled JavaScript before visiting my page. But would you be prepared to do that before visiting any website you didn’t know was 100% safe? Of course, I could have just put up an official-looking page that was hosted on a Google domain showing a Google Account login box asking for a username and password – and who wouldn’t enter their Google Account details if they thought they were going to be one of the first to get a peek at a new Google service?

How can companies like Google prevent this from happening when developing new applications or features? I guess the most important rule is to make sure nobody can host or inject content (and particularly scripts) on your primary domain or a subdomain of your primary domain. This isn’t the first time that Google allowed this to happen. Just a few months ago, a user realized the Google Public Service Search could be exploited in a similar way, demonstrated with his Gmail Plus phishing page. This time it was a very special case though. Who would have thought that someone would find a google.com domain pointing to the right place and enter it as their custom domain? Some simple input validation would have allowed them to reject any requests for google.com domains to be used. But perhaps a more secure approach would have been to use a completely different domain in the first place – something like googleservicehosting.com, hostedbygoogle.com or googleafyd.com – all of which Google already own. It’s too late to change that now though, as thousands of users will already have pointed their domain to the ghs.google.com address.

Another way to prevent this from ever happening again would be to change how the same cookie is used to identify a user and give them access to many services. It seems odd that I could access Philipp’s Google Account at the same time as him from a completely different location, via a different IP address, using a different web browser with exactly the same cookie data. Admittedly, Google’s cookie is probably more secure than most – and I could no longer access his account when Philipp changed his password.

Finally, I think it’s worth pointing out that only a small number of people would have been able to exploit this security vulnerability because there are only a limited number of google.com domains which would have met the requirements – and once a domain is “claimed” it is unavailable for others use. Also, the Japanese blog didn’t contain any malicious script and my proof of concept page was only online for a few hours at an obscure address that was only visited by myself and Philipp. But if you have reason to believe that your account has been accessed without your permission, the best advice is probably to change all your passwords as soon as possible.

* Services that were accessible using this technique included: Google Alerts, Google Analytics, Google Base, Google Bookmarks, Google Code, Google Co-op, Google Docs and Spreadsheets, Google Finance, Froogle Shopping List, Google Image Labeler, Google in Your Language, Google Groups, Local Business Center, Google Maps (Saved Locations), Google Notebook, Personalized Homepage, Personalized Search (Search History), Google Reader, 3D Warehouse (SketchUp), Google Video and Google Webmaster Tools.

Labels: ,


13 January 2007

On Google Account Hijacking

I wasn’t going to post anything about this security vulnerability I discovered yesterday, but then I read this post by Jim Thomson over on the Chron.com TechBlog saying:

Tony Ruscoe is a web designer who achieved his 15 minutes of Google fame when he discovered the Google Base domain in October of 2005. There’s no mention of the exploit at Ruscoe’s blog; the most recent thing there is a recipe for his New Year’s Day pie. Apparently he’s been too busy breaking into Google to do much blogging.

Heh. (I guess they got that ‘Google fame’ bit from my About page.)

So anyway, I figured I should probably acknowledge what happened just in case people are visiting my website expecting to find more details about the exploit. Right now, there’s not much more to add to what Philipp’s already said. However, since Google’s Security Team has confirmed the problem is now fixed, I’ll be making a post over at Google Blogoscoped soon that will shed some more light on the ins-and-outs of this particular vulnerability.

Update: 14 January 2007 (17:06)
The post is now online: Details of Google’s Latest Security Hole

And remember, security problems like this are rare at Google – so sleep well and don’t have nightmares.

Labels:


6 January 2007

Recipe for All Seasons Pie

For the past couple of years, I’ve made a pie at New Year. (Here’s a photo of the one I made on New Year’s Day 2006.) It’s a pie that I remember my mum and auntie making around the festive period, so I figured I’d kind of force it to be a tradition for me as it just reminds me of New Year.

Anyway, Chris asked me for the recipe the other day, so I figured I’d post it here for everyone to enjoy. The recipe is taken from an old magazine, but unfortunately I’ve no idea what the magazine was called, otherwise I’d credit it here. Anything in square brackets [like this] is what I’ve added – including approximate conversions and some tips.


ALL SEASONS PIE
Serves 24 [as part of a buffet or about 8-10 people as a main meal]

For the pastry

For the filling

Roasting tin 16 inches by 12 inches and 1 inch deep
[Personally, I use a roasting tin 15 inches by 11 inches and 3 inches deep]

Sift the flour and salt into a large mixing bowl. Using a coarse grater, grate the margarine into the flour and mix it in with a knife. Stir in the grated cheese with enough cold water to make a fairly stiff but pliable dough. Wrap the pastry in a piece of greaseproof paper and leave it in a cold place to “rest” for at least half an hour. [In reality, grating margarine is a bit messy, so you could just cut it into small pieces, providing you rub it into the cheese and flour really well! Also, I’ve never had to add any water to make the dough fairly stiff and pliable.]

Meanwhile prepare the filling. Peel and dice the carrots, put them into a large pan of boiling, salted water and boil for ten minutes. Drain them well. Divide the sausagemeat into two-ounce pieces [that’s 16 pieces to save you working it out, although I tend to divide it into 32] and roll each into a ball. [I also coat them in flour once I’ve done this.] Cut the cooked meat into fairly small pieces and put them into a bowl with the carrots and sausagemeat. [Depending on how large your mixing bowl is, you may need to divide all ingredients between two bowls! I tend not to add the sausagemeat balls at this stage as I find they get in the way and break up when you mix everything together.] Wipe the mushrooms, cut them into quarters and add them to the meat with the peas, their liquor [i.e. juice], and the tomato soup. Mix all the ingredients carefully together—try not to break up the sausagemeat balls too much—and finally check the mixture for seasoning.

Divide the pastry into two and roll one half out into a rectangle about two inches larger than the tin. Lift the pastry over a rolling pin into the tin and press it well into the sides. Turn all the filling into the pastry and level it out. Roll the other piece of pastry to the size of the tin, damp the edges and lift it into position, pressing the edges well together; trim them with a sharp knife and knock them up. Roll the trimmings into a long strip about one-and-a-half inches wide, and cut out six large diamonds for leaves. Using the back of a knife, mark the top of the pie into a trellis pattern and brush the complete surface with egg glaze. Position the leaves in pairs pointing towards the centre, then brush them with egg glaze as well. [I tried that and the pasty base just got soggy and mixed in with the filling, so now I just throw all the mixture into the baking tin, place the sausagemeat balls carefully on top of the mixture and then roll the pastry into one piece the size of the tin, placing it on top of the mixture and glazing it with egg to make a thick crust.]

Bake the pie on the centre shelf of a fairly hot oven, gas mark 6 or 400 degrees [205°C], for twenty minutes, then reduce the heat to gas mark 5 or 275 degrees [135°C] for a further thirty-five minutes, until golden brown. [I found that around 180°C for 50-60 minutes in an electric fan oven was about right.]


And there you go. Please don’t be put off by some of the ingredients – it tastes much better than it sounds!

Labels: ,


3 January 2007

Resolutions for 2007

Here it is. The first post of the year that everyone expects to see. It’s the post where I check how I did against last year’s New Year resolutions and list my new ones for this year...

Around this time one year ago I said:

I don’t really make New Year’s resolutions, mainly because I’m totally incapable of keeping them. Previous years have seen me try to stop biting my nails (several times) and give up kebabs (which is actually impossible). This year, however, I’m going to try and do a couple of things: chew my food more thoroughly and post to my blog more frequently.

So how did I do? Well, as if by magic, I’ve (almost) managed to stop biting my nails and I’ve hardly eaten any kebabs this year. But what about the things I actually said I’d try to do in 2006? Well, I’m sure I chew my food a bit more than I used to, although it’s probably still not good enough. And I’ve definitely posted to my blog more, with 65 posts in 2006 compared to 25 in 2005. Easy peasy!

Right then. What challenges do I have planned for this year? Here’s my list of resolutions and a rough indication of how likely I am to achieve each one:

  1. Run the Sheffield Half Marathon (99%)
  2. Try to look smarter at work – i.e. wear shirts, proper shoes, do something with my hair, etc. (95%)
  3. Eat evening meals at the table rather than in front of the TV (90%)
  4. Play guitar for at least one hour every week (85%)
  5. Give blood more regularly, ideally every 16 weeks (80%)
  6. Only go on my PC if I’ve got something I actually need to do, rather than sit browsing the Internet moaning about how boring it is (50%)
  7. Play my trumpet every once in a while (30%)
  8. Get an allotment to grow my own vegetables (20%)
  9. Volunteer my services to the local amateur theatrical society (10%)
  10. Come up with an idea for a website that will make me rich (1%)

And if I’ve told any of you about more resolutions which aren’t listed, let me know because I’m sure I’ve told people other ones that aren’t listed here...

Don’t forget to come back in a year to find out how I got on!

Update: 4 January 2007 (13:34)
Just thought of one I’d forgotten:

  • Watch more live bands (75%)

Labels: