Google’s Latest Security Hole

Tony Ruscoe discovered a security hole the other day involving Google and Blogger Custom Domains, now that Google has fixed it, he has released all of the info involving the security hole, how he discovered it, how he could exploit it and more.

In summary, I was able to create a page that was hosted on a google.com domain, which is something that should never be allowed to happen. Because of this vulnerability, I was then able to use a simple bit of code to steal someone else?s Google cookie and access their Google services.

The Google Security Team was informed of the issue before I?d even written my proof of concept script to test on Philipp. Around three and a half hours later, Google had deleted my test page and were redirecting both ghs.google.com and ghs.l.google.com to Blogger?s standard ?blog not found? page. (They?re now redirecting both addresses to the Google.com home page.) Source: Details of Google?s Latest Security Hole

Luckily, he wasn’t able to get into Gmail, but he and his friend were able to access the same account at the same time. Not a good idea, I wonder if I can access my gmail accounts from more than one computer at the same time, might be worth a test…