There was a lot of buzz last week with the launch of Google Apps Premier Edition and with that comes potential harm. Yes, Google Desktop has recently been reported to have two serious malicious holes, both, I believe, now patched. But what about Google Apps?
With any hack, one of the first steps is to locate vulnerable sites or computers. Google Apps requires sites to verify domain ownership within the first 30 days. They can do this one of two ways:
- Create a CNAME record
- Upload an HTML file to your server
A Cre8asite Forums thread shows how easy it is to use Google to search for sites that are potentially running Google Apps for Domains on their site. A search on inurl:googlehostedservice.html currently returns just about 700 sites. Now, I am sure many opt for the CNAME method, and I think that those can be easily discovered, but now with a simple Google search.
The thread asks, is Google asking for trouble with this? Why not make a dynamically generated file that has no pattern, that can be uploaded to your server. Instead of a standard file named googlehostedservice.html?
Forum discussion at Cre8asite Forums.