Google Video Flaw Raises Privacy Concerns by Exposing Usernames and Passwords

Jun 12, 2007 - 12:23 pm 3 by
Filed Under Misc Google

Since we like reporting about search in forums, we generally wait for the discussion to begin there. As such, earlier this morning, Insomniac (aka Entriple) told Barry about a flaw in Google Video and Barry suggested that it be posted on DigitalPoint Forums (so in general, if you have a hat tip for us, please make sure there's associated discussion!). The discussion on DigitalPoint has since grown tremendously since it was created.

It appears from Insomniac's find that if you choose to share a video from Google Video to another social network (like MySpace, for example), your username and password get sent in plaintext on the http protocol (rather than the more secure https protocol).

Plaintext, you say? Yes, indeed. From the headers:

POST /blogpost HTTP/1.1 Host: video.google.co.uk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Referer: http://video.google.co.uk/blogpost?d...22&siteindex=3 Content-Length: 42 Cookie: PREF=ID=26c938172fc51030:TM=1178041215:LM=1138046118:S=Bw_pBCzx-opEyR3s; sloc=en_GB Pragma: no-cache Cache-Control: no-cache req=login&name=myusername&pass=mypassword&site=MySpace

Want to see for yourself? First, install the Live HTTP Headers Firefox addon. Then, go to Google Video. (Step 1) When you click on Post to MySpace (Step 2), you get a link like this in a popup window. On this window where you input your username and password (Step 3), go to the Firefox Tools menu > Live HTTP Headers. What you see is your username and password in plain text (Step 4).

First, Share your Video (Step 1: View a Google Video)

You'll be Taken to a Link to Post to MySpace (Step 2: You can post the video to MySpace. Disclaimer: This video URL came to me via StumbleUpon.)

This is when the headers get sent. (Step 3: Enter your Username and Password)

Live Headers in Action (Step 4: Yeah, in fullsize, you can see the username and password that I typed in.)

This appears to be an oversight and I believe it should be patched immediately. After all, as Insomniac adds, "Who knows who else has noticed this and started logging data."

Forum discussion continues at DigitalPoint Forums.

 

Popular Categories

The Pulse of the search community

Follow
Subscribe Options

Search Video Recaps

 
Video Details More Videos Subscribe to Videos

Most Recent Articles

Search Forum Recap

Daily Search Forum Recap: April 26, 2024

Apr 26, 2024 - 4:00 pm
Search Video Recaps

Search News Buzz Video Recap: Google Core Update Updates, Site Reputation Abuse Coming, Links, Ads & More

Apr 26, 2024 - 8:01 am
Google Search Engine Optimization

Google Publisher Center No Longer Allows Adding Publications

Apr 26, 2024 - 7:51 am
Google

Google Tests Placing The Snippet Date Next To URL

Apr 26, 2024 - 7:41 am
Google

Google Breaks Out Googlebot IP Ranges For User-Triggered Fetchers

Apr 26, 2024 - 7:31 am
Google News

Google Ad Revenue Up 13% & Bing Ads Revenue Up 12%

Apr 26, 2024 - 7:21 am
Previous Story: Yahoo Tries Out New Look: Shiny Blue Bar
Next Story: Search Pulse 33: SMX Review, SEW 10, Ask.com UI, Google & Yahoo Update, Privacy Issues, Street Views and More

The content at the Search Engine Roundtable are the sole opinion of the authors and in no way reflect views of RustyBrick ®, Inc
Copyright © 1994-2024 RustyBrick ®, Inc. Web Development All Rights Reserved.
This work by Search Engine Roundtable is licensed under a Creative Commons Attribution 3.0 United States License. Creative Commons License and YouTube videos under YouTube's ToS.