« Phising Exploit Discovered in ‘Google Public Search Service’
Working on another article about XSS attacks »

After the ‘Google Search’ exploit

I was actually pretty surprised how fast the news propagated through the internet. After posting the details of the exploit on Digg at about 8pm tonight, it drifted off into obscurity. The following morning however, apparently a bunch of people some how found the article, because it was already on the frontpage with 300 Diggs. Several hours later, the details were ALL over — Slashdot, Newsforge, Digg — all the big sites had discussions about the exploit. In some cases, people were confused and I did my best to link back to the article so people knew what was going on.

It wasn’t clear to everyone from my previous article, but Google knew of the exploit several weeks ago and they immediately shutdown the login page for the service. While existing pages were left up, they did the right thing immediately after I reported to them the details of the bug by making sure no one could actually exploit it.

While I believe I took appropriate action by first disclosing the exploit to Google and waiting until the service was closed for several weeks, there were a few people concerned with the disclosure. It is in my opinion that leaving the exploit quiet is a far worse scenario — while I don’t know of any other sites like this in existence, I think a headline of this nature is FAR preferable to a headline that says ‘Thousands give credit card numbers in Google Phising exploit’. Thousands of people were able to learn about what the whole ‘http://www.google.com/u/’ style URL meant, and will not fall for this exploit if it exists in the wild somewhere.

As best I can tell, I served about 245,000 requests and served 20 GB of pictures.  I’m happy to say that my host, Dreamhost, prevented the site from going down during the Digg/Slashdot/etc… rush!

Thanks to everyone who helped spread the word and left comments. Keep and eye on this site as well — I definitely love looking for these kinds of things :)

You can read the official report by Google here:

http://googlewebmastercentral.blogspot.com/2006/09/for-those-wondering-about-public.html

This entry was posted on Sunday, September 17th, 2006 at 7:16 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “After the ‘Google Search’ exploit”

  1. Tony Says:
    September 18th, 2006 at 6:15 am

    It isn’t often that we hear news of Google exploits (and something they aknowledge and shut a service down? wow), so obviously /. and digg effects spread fast.

    It was a very simple and clean hack. Just some cleaver CSS, so I think a lot of people (should have) understood, and that should have contributed to the popularity of the story as well. Keep up the good work! And it’s good to know that Dreamhost keeps your blog alive - they are the awesomeness host.

Leave a Reply

It sounds like SK2 has recently been updated on this blog. But not fully configured. You MUST visit Spam Karma's admin page at least once before letting it filter your comments (chaos may ensue otherwise).