Feeds

Google closes Blogger security holes

'Outstandingly common problem'

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Internet search giant Google confirmed this week that it closed several security holes that could have allowed hackers to substitute their own musings for any of the over one-million electronic diaries maintained through the popular "Blogger" online publishing tool.

The vulnerabilities were typical of Web application security weaknesses that have plagued e-commerce sites for years, according to hacker Adrian Lamo, who discovered the holes and passed the details to San Francisco-based Pyra Labs in January. Pyra, creator of Blogger and the related hosting site BlogSpot, was acquired by Google last month.

Lamo demonstrated the most serious vulnerability to SecurityFocus by replacing a reporter's skeletal BlogSpot weblog with one of his own. Before that, the hacker says he tested the technique on two other existing weblogs that had been abandoned, but that he resisted the temptation to replace any of the high profile journals hosted on the site - one is operated by humorist Dave Barry, another by CNET Radio - out of respect for the company. "I was tempted to do both of them," says Lamo. "Had Pyra been a less wholesome operation, I might have shown less restraint."

Jason Shellen, Google's associate program manager for Blogger, said details of the vulnerabilities would be posted to Blogger's status page this week.

The hole Lamo demonstrated did not require him to take over an existing weblog. Instead, he bypassed the process BlogSpot used to prevent new customers from establishing weblogs with an address already in use.

After confirming that an address was available, the enrollment application stored it in the user's browser in a hidden form field. A hacker could simply change the name in the form field to the name of an existing weblog to create a new journal that would supercede the legitimate one. "I would characterize it as an outstandingly common problem," says Lamo.

Through similar weakness, the hacker says he could add himself to the list of people authorized to maintain a particular weblog though Blogger, even if they were hosted elsewhere.

Last October, Blogger was shut down for more than two hours after an intruder compromised several user accounts. No billing data or credit card numbers were exposed in that hack, nor by this latest batch of vulnerabilities.

© SecurityFocus Online

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.