Google Base launched with security hole

by Robert McMillan

November 18, 2005 —

Google Inc. has patched a security problem with its Google Base that allowed attackers to steal sensitive information from users of the new content-hosting service.

The problem, which was patched within hours of its discovery earlier this week, allowed attackers to steal cookies and other information from Google Base users and also gave attackers a way to embed fraudulent forms within Google Base Web pages. This type of problem, called a cross-site scripting vulnerability, has also cropped up in Google's search service and in Yahoo Inc.'s mapping product.

Google Base, which was released in beta version on Wednesday, gives users a way to classify and post information like recipes or classified advertisements. Items that are listed there will then also appear at appropriate parts of Google's site, such as the Web index, the Froogle comparison shopping site and the local business directory.

The bug in Google Base was easy to find, and was due to "incompetent" programming on Google's part, according to Jim Ley, the U.K. computer expert who discovered the bug. "There

IDG News Service