GoogHOle Exploits GMail, Picasa and 200K Other Sites

Giorgio Maone writes "Multiple Google-targeted exploits disclosed in the past 3 days could compromise your GMail account, steal your pictures from Picasa or impersonate you on almost 200,000 big sites which outsourced their search engines (vulnerabilities included in the price). If even Google, a very reactive company when web security matters, does face this kind of problems, how serious is the threat and what can you do, as a "normal" web user, to protect yourself?"

The real question:

[Anonymous Coward]

How do we blame this on Microsoft?

Re:

[pieaholicx]

Hmm...

I know! If Microsoft hadn't created a platform that became popular nobody would be using computers, so there wouldn't be users to exploit!

Re:

[empaler]

It's pretty much fair game since Microsoft more or less took credit for Google's success recently...

Re:

[pieaholicx]

Too true. Not to mention Microsoft still hasn't accredited Ben Franklin [slashdot.org], while Google did.

Re:

[Anonymous Coward]

Simple, wait for Twitter to post and he will tell you. ;)

Re:

[sqrt(2)]

Too bad you posted AC. I would have friended you for that correct prediction [slashdot.org].

Re:The real question:

[MrMr]

Just quoting from the original so called 'Google' messages

If you've read our previous post Say Cheese! then you know that Google's Picasa registers the picasa:// URI in the Windows registry and it is possible to abuse this registered URI through a Cross-Site Scripting exposure to steal a victim's images.

So that's a windows only exploit?
We could not possibly blame that on windows.

Re:

[vtcodger]

***So that's a windows only exploit?***

I'd guess not. Picasa on Linux is a Wine application. Wine, of necessity, has a (yechhh) Registry and Windows API calls to tinker with it. So a registry based attack on the Google web site might very well stand about the same chance as any other complex software under Wine on Linux. Might work, might not. Again, that's a guess. Like 99% of the other posts on Slashdot, this one isn't based on actual knowledge or anything like that.

Re:

[shellbeach]

Wine, of necessity, has a (yechhh) Registry

Yeah, registry databases [gnome.org] suck. Good thing they're only found on Windows ...

As regards your initial assumption, though - Picasa for linux uses a modified WINE environment, not your standard WINE installation. This means that the registry entries are in ~/.picasa/ and inaccessible by normal WINE applications. So unless you've configured your system to use the Picasa variant of WINE as standard, you're probably safe enough ...

Re:The real question:

[Otter]

We could not possibly blame that on windows.

That has absolutely nothing to do with Windows. It's poor design in a Windows/WINE-only application.

Re:

[Paracelcus]

I guess I shouldn't post those pictures of me, the midget and the nanny goat.

But didn't the waterbed look good?

M$ is so lazy on security, it makes security

[someone1234]

a luxury for developers.

Re:

[14erCleaner]

My question is, should I use the search box provided on the hackademix.net pages?

Re:

[bobcat7677]

You can't really. It's all Sun's fault. Javascript is what needs to be burned at the stake here.

Re:

[huckda]

I blame Al Gore, for inventing the Internet...

Re:Easy to blame M$

[Macthorpe]

Of course, exploitable programs are all Microsoft's fault - which must be why the remote root exploits for Quake 1 and 2 for Linux [insecure.org] must be all Linus' fault!

Let's be honest, exploitable applications are OS independent. Though I guess honesty never really comes into it with you, hmm?

Re:

[Ajehals]

The problem Microsoft have with this regard is that a) there *are* security issues with windows that simply do not occur elsewhere and popularity *is* an issue. Windows is less secure than its OSS counterparts when coupled with a user and an internet connection, this isn't just poor design or poor planning, much of it has to do with how applications use the Win32 API and the sheer complexity of the same. b) When a Windows exploit is identified, whether it is an Office issue, a OS issue, IE issue, a driver

Re:

[Macthorpe]

I only bother posting to a twitter if it's painfully obvious he's doing his usual. Sometimes, when it comes to privacy issues and other things, he usually speaks a very candid and pragmatic line - it's just a lot of the time he drifts off into closed-source paranoia and quite often makes everything up.

As for your comment, yes, I understand Windows is less secure (for one reason or another) than other options, but to blame application-related holes on them is completely wide of the mark and he's aware of it

Re:

[Macthorpe]

Newsflash - thanks to your own stupidity, there are few people on Slashdot who don't know that Erris and Twitter are the same person. Or is it just a coincidence that you both submit the same journals to the Firehose, both come from Baton Rouge, and both have the same "fuck shit" style of posting, down to the phrasing and the choice of external links you use to emphasise your failing, irrelevant point of view?

I submit it is not - the quicker you stop gaming Slashdot the better for everyone.

Re:

[Macthorpe]

The trolling has really dropped in quality recently...

Re:

[rtb61]

It would appear that google marketing certainly has convinced some windrones that google is representative of open source software, but the reality is, google is just another proprietary marketing company, much the same as M$, just better a hiding it and it makes far fewer public blunders.

PS. from an open source point of view it would be the "great technicolour hope", open source, multi cultural, multi racial, multi discipline by default.

Nothing...

[saleenS281]

at the end of the day, when you rely on third party apps run by a completely different company, you can't do ANYTHING to protect yourself.

Re:Nothing...

[Billosaur]

Well, you can certainly stop using the apps... It's the problem of a user becoming too invested in any one thing (OS, DB, etc.). Whenever you become a pundit, a die-heard fan, or even just a casual, everyday user, you buy the whole package, bugs and all. You not only accept that an app proves useful to you, but that it will contain flaws that may prove problematic. Everyone seems to accept that because it is Google, they write perfect code. No way. The quality of code today is such that flaws such as these are inevitable. This doesn't make Google bad, stupid, or irresponsible; it's just part of the business. They will fix these things and life will go on.

Re:

[Anonymous Coward]

This is exactly why I do not use any "Web 2.0" applications, why I still rely on an "old fashioned" POP3 mailbox and a real email client, and why ultimately all this Web 2.0 nonsense with centralised data that you access over the internet will fall through.

Because it isn't secure. Even a little bit. It only takes one cracker to find a way in and all your data is no longer secure and there is nothing you can do about it!

Here's me being all old fashioned and actually taking control of my own data. Silly

Re:

[Whatanut]

Surely you're using secure pop3. And not just sending your password to the server in clear text...

Re:

[gomoX]

And that POP3 server of his is 100% trusted. And the server's router. And the server router's router. And the server router router ...

PGP is about the only way to have safe communications. Not perfect, you have to be careful with keys and everything else, but at least you will never be vulnerable to a script-based attack. There is no automatic way of stealing your PGP keys and passphrases, simply because very few people use it and it's so unstandardized that no one cares.

Re:

[TheRaven64]

You know, there's nothing stopping you running a Web 2.1 (beta) web app on you your own server, and providing IMAP access for your mail client when you are using your normal desktop/laptop.

Re:Nothing...

[Silver Sloth]

But I didn't build my car, my house, amy of my white goods, in fact 99% of what I use every day was built by third parties. I can and should demand that the good I purchase reach certain standards - in the UK this is enforced by law.

However, anything I accept for free, anything where there isn't some sort of agreed contract between my and the supplier, then caveat emptor (pun intended)

Re:Nothing...

[aaronl]

This is true, however, there is one very large difference between Google and everything that you listed. While Google build the apps, similar to case of your car, house, etc, they are also operating and maintaining the product. The car manufacturer doesn't *run* your car, or maintain it. If it break, you go somewhere and pay a different third party to fix it, or you fix it yourself. In Google's case, they have your car, and keep it running, and they come around and drive you places when you want them to.

Flexcar/Zipcar work that way wonderfully!

[Blahbooboo3]

well, i use flexcar (rental car sharing), and it is WONDERFUL. I don't have to maintain it, deal with insurance, nada. I just use their car, and walk away when I am done with my rental.

Re:

[Intron]

Hey guess what? There's probably a black box [expertlaw.com] in your car that measures what you are doing. Even though you paid for it, the manufacturer doesn't tell you about it, or give you any information about what it does or how to read it out, but it can still be used to void your warranty or as evidence against you by police or insurance companies. Welcome to the future.

Trust nobody!

[Per Abrahamsen]

Neither can you if you hire people to implement it on your own company.

And if you do it yourself, you can be sure that the security will not be higher than your own skill set.

If you want to trust nobody, you might as well retreat to am isolated island somewhere, as you will be unable to function in a society. The key to functioning in a society isn't distrust, but to to be able to judge who to trust and who not to. Which is quite annoyingly mostly a social rather than a technical skill.

----

I personally trust the people at Google more than I trust the people and products responsible for our internal mail solution (which is also available as web mail). Especially with regards to competence (as opposed to integrity). So I would love for us to switch.

Re:

[caluml]

if you do it yourself, you can be sure that the security will not be higher than your own skill set.

Unless you fluke it. Don't laugh, it's possible.

Re:

[b0s0z0ku]

personally trust the people at Google more than I trust the people and products responsible for our internal mail solution (which is also available as web mail). Especially with regards to competence (as opposed to integrity). So I would love for us to switch.

Not so fast there....

If you're hosting mail/servers in-house, the people running them have responsibility to one company, if they're directly employed. Contract that to Google, which has hundreds of millions of customers. Losing one or two isn't

Re:

[dragonfoe]

So only people who write hteir own code are safe?

Re:

[ceeam]

Well, I hope your company has better programmers/admins than Google has.

Re:

[ajs]

There are some things you can do to protect yourself [sendmail.org]. I've been running my own mail server for over 10 years, and I have to say that it's the least of my headaches from my home server. Keeping up with spam filtering technologies is a mild pain, but SpamAssassin has gotten quite good at making that less of an issue. I do wish MX handling were smarter than it is, but you don't *have* to worry about it.

The only thing is that it ends up costing me in ISP price. Most of the net has gravitated toward the position

Not really clear

[Tribbin]

Is it completely in their hands?

How do I know if I'm vulnerable?

Can I do anything to protect myself?

If you run Firefox, install NoScript plugin

[elwinc]

According to the article, exploint uses Cross-site scripting, also known as XSS. There is a firefox plugin called NoScript that limits cross site scripts. The article points you to http://noscript.net/features#xss [noscript.net] which describes the anti-XSS protection of noscript. The noscript pages suggests that you only load firefox plugins from addons.mozilla.org and sends you to https://addons.mozilla.org/en-US/firefox/addon/722 [mozilla.org] where you can download noscript.

Re:

[Bearhouse]

Mod up. That's why I use Firefox with Noscript, PhishTank and a few other things...

I wonder if these sites will show up in the "warning, this site may be nasty..." messages you sometimes get when browsing to a site via Google search...pretty useless IMHO, 'blacklists' go out of date so fast...

Re:

[Tribbin]

I use Epiphany; am I vulnerable?

Re:

[Deanalator]

If your browser has the ability to properly execute javascript, you are vulnerable to XSS.

Re:If you run Firefox, install NoScript plugin

[suv4x4]

If you run Firefox, install NoScript plugin

Since Firefox users like to push forward NoScript a lot as some safety precaution (I run it for 2 months, and finally got fed up with enabling virtually any site I visit, so it operates, what's the point), I read a very interesting article about the embeddable nature of IE.

You see, if Firefox can play WMP files on your machine (Windows machine) then every time you open a page (or video) in Firefox you potentially open IE, since WMP can open pages directly inside, and it uses IE regardless of your preferences.

Similar situation occurs with IM-s like Skype and ICQ.

As another commenter said above, security is illusion. Pure and simple.

Re:

[thatskinnyguy]

Is it completely in their hands?

They own the XSS code that has the vulnerability that is being exploited. Even programming that is outsourced is usually wholly owned by the outsourcing parent. To answer your question: yes, it is completely in their hands.

How do I know if I'm vulnerable?

Are you plugged into the interweb? Do you have a Gmail account? Yes and yes? You're vulnerable to this XSS exploit.

Can I do anything to protect myself?

There are no suggestions in TFA or the subsequent articles as to how to protect yourself from this specific exploit. However, there have been a few good recommendations in

Very few details.

[Poromenos1]

The article is very low on details. I read it and I'm still not sure how it works, whom it affects and what I can do to protect myself (obviously, since I don't know how it works).

It would have been nice if they went into some more detail for technical users.

Re:

[garcia]

The article is very low on details. I read it and I'm still not sure how it works, whom it affects and what I can do to protect myself (obviously, since I don't know how it works).

Well, based on the links that were provided in the many levels of linked blogs (which should have gotten as close to the Russian source as possible rather than the pimped blog listed in the blurb (PAY ATTENTION "EDITORS"), it seems like people have been alerted to this action.

I can't find a single working link in any of the blogs

Re:

[Ragein]

1. Firefox - Check 2. NoScript - Check 3. ... -Check 4. Profit - Soon

Re:

[Poromenos1]

I use Opera, does this mean I am forever doomed to fall in the hands of every internet predator that comes along?

I still need the exact information if I am to make any informed decisions about my browsing habits.

Re:

[Anonymous Coward]

what I can do to protect myself

Stay signed out of Google. Go to www.igoogle.com and if you see your name in the upper right, click Sign Out. The vulnerability comes from users surfing the web and clicking on a malicious link while being signed into Google.

If you need to check your mail or use another of the Google suite, close all other tabs/windows and then sign in. Don't do random browsing at the same time for now.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Deanalator]

Low on details? The blog pointed to multiple instances of working PoC for every vulnerability it discussed. If you want to know how it works, read the code.

Re:

[empaler]

Yeah, those NoScript fatcats most have bribed CmdrTaco to post this. The horror!

Seriously, stop watering down the term 'slashvertisment'. It's tossed around enough as it is.

Re:

[speaker of the truth]

I knew about noScript but didn't believe I needed to protect myself. Today more and more websites use javascript to help make information on websites more accessible (slashdot is a good example of this) so to disable them or manually allow all of them would be prohibitive. However after this I decided to install it and found not only Google-analytics and doubleclick.net. I don't feel like slashdot or either of these companies need they information they'd gain from running these scripts on me, so I'm not all

Re:

[swb]

I finally gave it a try, also thinking it'd be a PITA. As it turns out, most sites with Javascript don't need it for most functions and its also quite illuminating how many sites inject third-party site javascript without saying anything.

How to Protect Yourself?

[nurb432]

Don't trust your data to 'on line' providers.

AGREE

[Jane Q. Public]

Many of these "online services" are done better by local software anyway. Why put your security in the hands of others, especially when they are in a much more vulnerable position (web-based service)??

Safety is an Illusion

[ChaoticCoyote]

You'll never be safe.

Complex software designed for diverse interactions will always be vulnerable to some kind of attack, even if it's as simple as someone walking out of a data center with a thumb drive in their pocket. Almost every vulnerability stems from a "feature" implemented to make software easier/flashier/useful. Flexibility and expansiveness carry with them the price of vulnerability, and pretending otherwise is to wear blinders.

Of course developers should do their best to prevent security problems -- but there is only so much that can be done when you also need to implement Really Cool Stuff. Every door you make is a door than can be kicked in, no matter how good your locks. The real world has never offered perfect security because it can't -- why expect engineered items to be safe from all evil?

Treat software and computers with caution, like walking through a major city's downtown at midnight. Sure, it's dangerous at times -- but it can also be exciting. Just don't pretend that danger doesn't exist...

Re:

[teknopurge]

You'll never be safe.

Exchange server behind 3 firewalls and a DMZ.

Good luck.

The point of this post is not that someone -inside- can/cannot exploit our setup, it's that the other 5 billion people on the planet can't get to it. The same cannot be said of GMail.

Re:

[Splab]

Yeah, but it only takes that one guy to steal your E-mail and push it on TPB.

Re:

[Mostly a lurker]

Treat software and computers with caution, like walking through a major city's downtown at midnight.

If you choose the city carefully, the dangers can be negligible. As an example, I live in Bangkok. If you are walking around roaring drunk in this city at 2:00am, you are not in any real physical danger. (You may get pick-pocketed by someone targeting drunks, though.)

I think the analogy with software and computers is actually pretty good.

Call me paranoid...

[adnonsense]

FTFA:

For such an attack to be successful, the victim just needs to visit a malicious website while logged in Google, e.g. by following a link from an incoming message

... but I already use a separate SeaMonkey browser profile for my GMail account (don't want it being associated with my normal Google searches), and access untrusted URLs using another browser running under a different user. As a matter of habit (I do web-based stuff and I'm used to having several different browsers open). Probably not 100% foolproof, but helps me sleep easier at night.

Re:

[neurovish]

... but I already use a separate SeaMonkey browser profile for my GMail account (don't want it being associated with my normal Google searches)

...and this "gmail only" browser is on the same computer, with the same IP as the one you use for general google searching? I think they'd figure that out.

Re:

[adnonsense]

...and this "gmail only" browser is on the same computer, with the same IP as the one you use for general google searching? I think they'd figure that out.

If "they" were really after me specifically, I'm sure they would. It's more a matter of not having all my stuff associated with the same Google cookie.

Re:

[Ant P.]

It could be on the same 60000-computer NAT for all they know.

Re:

[AVee]

You've got a GMail account, I could call you al lot of things, but paranoid is not on the that list. No one with a GMail account can be called paranoid. Period.

you should patent that: STMPD

[circletimessquare]

Security Through Multiple Personality Disorder

which is of course a joke, but is a philosophically sound observation: you can't steal the identity of someone whose identity is fluid

Patches

[pixelkiller]

I hope that I'll never have to install a patch from google. I that would be the word day. Does anyone know if google will fix this preoblem (I'm not even sure what the problem isother then theres 3 of them) or Are they going to tell us what we need to prevent those exploits?

How many work on Linux

[pembo13]

Seems like these articles are never clear (or I just miss it) but how many of these exploits work on Linux?

Re:

[thatskinnyguy]

An exploit like this would certainly work with Linux if the right conditions exist. Have a Gmail account? Scripts enabled in Firefox? Yep. Could work on Linux.

Re:

[thatskinnyguy]

More like at the end of the day, after working with computers and geeking out, I just want something simple that works. Not something that's obfuscated and no matter how I spin it, still won't get me laid.

this is really bad news

[paulatz]

if only I had followed the trend to use gmail and picasa I would be quite upset

The answer is in the question...

[blueZ3]

If even Google, a "very reactive" company faces these issues, what can be done? The answer: Nothing can be done.

There is no way (unless you're writing something with hundreds, rather than thousands of lines of code) that every code path is going to be audited carefully enough to catch every possible bug. Good coding practices aside, programmers are human and make errors. You do your best to catch as many as you can, and that's all you can do. When you're a "consumer" of code, you look for an organization that seems to be doing this and use their stuff. There's no complete, proactive solution to bugs.

The important thing is that you want someone "very reactive." An organization that acknowledges these flaws up-front, publicly announces vulnerabilities with a work-around until they're patched, and then corrects problems in a timely manner. Some companies are more like this than others.

Re:

[cowscows]

It even goes beyond the code as well. Even a completely bug-free web application could be compromised through things like social engineering, an untrustworthy employee, or maybe even plain-old theft.

We like to pretend that the internet is some how this brave new world, but it's still built on a physical infrastructure that exists in the real world, and is designed and maintained by people that live in the real world. In the real world, making something 100% secure is not really feasible, so we just do the b

That's only true because...

[TheLink]

That's only true because the W3C and the browser people aren't interested in helping make things more secure.

I've been proposing the following for _years_:
http://www.google.com/search?num=100&hl=en&safe=off&q=%22Tag+to+disable+unwanted+features%22 [google.com]

http://lists.w3.org/Archives/Public/www-html/2002May/0021.html [w3.org]

http://www.mail-archive.com/mozilla-security@mozilla.org/msg01448.html [mail-archive.com]

http://lists.w3.org/Archives/Public/www-html/2007Aug/0008.html [w3.org]

It will help. But I'm no longer going to bother explaining

Re:

[DamnStupidElf]

There is no way (unless you're writing something with hundreds, rather than thousands of lines of code) that every code path is going to be audited carefully enough to catch every possible bug. Good coding practices aside, programmers are human and make errors. You do your best to catch as many as you can, and that's all you can do. When you're a "consumer" of code, you look for an organization that seems to be doing this and use their stuff. There's no complete, proactive solution to bugs.

I hate it when

Dont use hosted services!!!

[JeremyGNJ]

At the end of the day you can sight all kinds of flaws in Microsoft and closed source software. However, for as you're running that software LOCALLY on your computer, then you have the ability to take measures to protect yourself.

If you're drinking the google-juice just because it's "cool" or you want to support them because they're "not evil", you're only doing yourself a dis-service.

Keep your email local, dont save your passwords on a public "service", dont keep naked pictures of your girlfriend on your "G-Drive", etc etc etc

Common Sense

Cite, not sight

[lennier]

"At the end of the day you can sight all kinds of flaws in Microsoft and closed source software. "

Close, but not quite.

Sight (v): to acknowledge that you have seen or received a document, as in, 'inwards goods has sighted the receipt'

Cite (v): to quote as a reference or source in an argument, as in, 'I can cite 5,124 open bugs in Microsoft Office to support my case'

How is one protected in this case?

[neurovish]

FTFA

For such an attack to be successful, the victim just needs to visit a malicious website while logged in Google, e.g. by following a link from an incoming message

This is something that can pretty much be said about any site where you login, and is really nothing new. If you're logged in someplace on one browser/profile, then anywhere you visit can potentially have the same rights as you on this site. With the prevalence of XSS and CSRF vulnerabilities around the internet these days, I don't consider any site "safe". This doesn't mean I suggest going all tinfoil hat, just be aware of what rights you currently have and take measures to protect the data that co

Contradiction?

[The Living Fractal]

But.. but.. just yesterday we were told that Gmail was "revolutionary". /facepalm

Google? Very reactive?

[Bogtha]

If even Google, a very reactive company when web security matters

Google are among the worst when it comes to being reactive. Example [jibbering.com]:

For over two years Google has had an script insertion flaw, I reported it two years ago, and again a couple of months ago, but still it's not been fixed.

consider a vending machine

[circletimessquare]

perhaps one of the simplest examples of a program involving transactions and user interaction

now consider the number of hacks you can use to exploit a vending machine (granted many are physical hacks, but you could call that analogous to social engineering hacks involving "real" software)

now, if something as simple and as straightforward as a vending machine can be exploited, then the obvious conclusion is that:

we should not express shock that google can be hacked, but we should express shock that any of us expected it couldn't be hacked

any computer program of sufficient complexity will be hacked. not could be. will be

and the internet is well into the zone of "sufficient complexity"

what to do

[Anonymous Coward]

what can you do, as a "normal" web user, to protect yourself?

Ahhh... NoScript!

Turn off client side scripting.

OR

echo "127.0.0.1 google.com" >> etc/hosts

When I first started in web development it was hammered into us that client side scripting MUST degrade gracefully. What ever happened to that rule?

I hate sites locked to "Web2.0" only! For the most part I will not use them. There are only a handful of URL's in my scripting white list, most of them my own sites.

Yes, I use some client scripting, but it degrades properly.

Security Through Obscurity

[eepok]

Don't draw attention to yourself.

If they don't have a reason to target you, they probably won't.

Re:

[mattpalmer1086]

That's a bogus argument. Of course they're not interested in you specifically, but they don't ignore people who just keep their heads down. They aren't looking to target specific, well known people. They are interested in exploiting any vulnerability to steal user data, machines, bank account details, etc.

If you think you're secure because you don't think you're important enough to be to be a "target", then you'll probably end up as one.

The Mac Method

[clang_jangle]

I handle most third party apps for the Mac (which are usually on a .dmg) like this :
(1) Download .dmg to ~/noinstall/.
(2) when I wish to use that app I mount the image and use app from the temporarily mounted image.
(3) When done using app unmount .dmg.
(4) Profit!
Of course there are quite a few GNU apps on my Mac which were built and installed from source, but I've never had a reason to feel leery of those. All the G-apps and all third party proprietary apps are in ~/noinstall. Always knew that would pa

Re:

[Pope]

That's pretty retarded, a goodly number of apps will fail when run from DMGs. Disk images are supposed to be a delivery mechanism, not a sandbox to run apps in. I also fail to see any benefit from doing this, since the app will still write its preference file into ~/Library/Preferences/

Please Mount My File System, Kernel

[Effugas]

DMG's are interesting. Take all the vagaries of file systems -- and seriously, they're infamously fragile, like little else actually -- and hand attacker controlled bytes to parsers that live in the kernel.

Boom. Seriously.

Re:

[Effugas]

Says the guy running w/ Safari :)

Keep Your Own Secrets

[Doc Ruby]

I don't let websites keep my credit card info, or any password other than the one needed to unlock their own site, or any other personal info that is valid outside their own realm, unless their service won't work otherwise.

The Web would be a lot more secure if my browser had a keyring integrated with my own computer, and I kept my secrets on my own computer under my own control. When challenged by any server for a secret, my browser or other client SW I'm using should pull the secret from the keyring and supply it to the server. That service should let me use a master key from any remote terminal to query my own computer, over my home broadband or wherever I keep the secrets. All by a standard protocol that lets me just fill web forms (and other challenges) as I do now, possibly entering the master key and maybe an additional confirmation challenge to let the 3rd parties communicate, but otherwise just as transparent as just filling in the forms.

If a 3rd party server is going to store my secrets, I want it to be my bank. I don't know why banks haven't gotten into this business already, after well over a decade watching their profits multiply from the Web, along with many risks. Maybe Google will push a key distribution protocol like this in partnership with some banks. That would also finally get Google into the payment business to challenge eBay's PayPal, which I hate precisely because its (mostly unregulated) global Internet bank is a monopoly, and I don't trust PayPal with my secrets. If Google does recover from this crack, they might be solid enough to trust.

Re:

[Phroggy]

You mean your browser doesn't have any kind of password management, with a master key?

Unfortunately Apple's Keychain won't let me conveniently access my saved passwords if I'm logged in via SSH (it can be done from the command line, but it pops up a GUI confirmation dialog, unless you do that once and then click "Always Allow" for each password you'll want to access later), and there doesn't appear to be a search feature like there is in the GUI (although it shouldn't be hard to write one). But other than

Re:

[Doc Ruby]

It does, but it's only "password" type fields. Not credit card fields, or other secrets (Social Security#, usernames per realm - except htauth, etc). And it doesn't do anything like the remote key distribution I described.

I'm not talking about just a keychain. You should have been able to tell from my post that I know about the OS/browser tech for "keyrings". And from the message that there's a lot more to what I'm describing than just a master password.

I haven't had my "head buried in the sand", fuck you v

Replace 'Google' with 'Microsoft'

[I'm Don Giovanni]

I see many here making excuses for Google ("You'll never be safe with online service providers", "There's nothing Google can do", etc) and offering solutions ("Use Firefox with Noscript", etc). But I can't help but laugh because I know that if this were about Microsoft web services being exploited, the comments would be completely different. The number of comments would be at least five times greater than they are here and would be filled with gloating and screaming over Microsoft's "incompetence" and whatnot.

You know that there is some truth in what I say.

It looks to me that there are major holes in Google's services, and they need to be called out on it, not given excuses.

Re:

[fedxone-v86]

someone should mod you '±0 obvious' ;)

Re:

[jgoemat]

I see many here making excuses for Google

Interesting... On stories (the many, many out there) about Microsoft security holes, I always see people posting excuses for Microsoft in the same manner ("There's nothing Microsoft can do", "Other operating systems have bugs too", "It was the user's fault for clicking on the attachment"). I think you've just discovered a natural law of Slashdot...

Re:

[Splab]

With about a million users and only 200 comments per story, chances are it's different people posting in the two types of threads.

What to do

[mattr]

There are no absolutes but the risks could be reduced by not using such bleeding edge tech/services (which seems against the Google always-beta policy), or by having true AI (not there yet though maybe something useful could be done now) at all the major nodes of the net that can understand what is going on in real time and block off those parties (although this is vulnerable to distributed attacks).

However this is perhaps good for me since I write search engines. One I installed at a big company for 5 year

So what about their web office suite

[InsaneGeek]

How about people who were looking to move their internal office applications to google (there were hundreds of people here on Slashdot saying they were planning on doing just that), are their critical private documents at risk or not? I've never been fond of software as a service for internal business functions, and this seems like another concern point against it.

what I WILL do to protect myself...

[justdrew]

nothing. relax and wait for google to fix the problem, as they surely will. Everything has some vulnerabilities, but the odds of them targeting me out of millions of people is very low. so low it's not a risk I feel any need to worry about. The endless "security" mantra is bullshit, mostly used to whip clueless consumers into making various moves from or to some product. Really it's an iterative process, an arms race if you will. Anything can happen. your office or home can be broken into very easily too ya

"very *re*active"?

[6Yankee]

Very reactive is all well and good - but very proactive is better.

Re:

[MLease]

Whenever you're on a web page, NoScript blocks all scripts on the page except for those which originates from sites that you have allowed in the past. For instance, my FF window currently shows "Scripts Partially Allowed, 1/3 (slashdot.org)". That means that it is allowing scripts to run from slashdot.org because I clicked "Allow slashdot.org" in the past (I did that because I found Slashdot unusable without it). However, it is disallowing scripts from 2 other sites (google-analytics.com and doubleclick.