Friday, November 18, 2005

Security hole in Google Sitemaps

Danny Sullivan reports that David Naylor and others discovered a security hole in rights to access statistics through Google Sitemaps.

To prove you own the website you want to access, Google Sitemaps asks you to drop a file with a long code in the filename at the root level of your website (e.g. 1029392729387.html). It then checks to make sure this file exists and, if it does, it gives you access.

The problem is that it only checks if the file exists. As David and Danny point out, many websites -- including huge ones like eBay, AOL, and Google's own Orkut -- display a nice error message to users on invalid pages that say something like, "Hey, this page doesn't exist!" Google Sitemaps sees that error page is returned with a 200 code, not a 404 code, and concludes, "Huh, look, the page exists!"

Oopsie. Because of this error, Danny and David managed to access the Google Sitemap stats for eBay, AOL, and other websites.

On the one hand, Google is right that websites really should return a HTTP "not found" code (404) for pages that are not found. On the other hand, many, many sites don't.

This reminds me of the problems with caching and prefetching when Google Web Accelerator launched. Google assumed all websites strictly obeyed the HTTP spec, but they don't, so the tool didn't work properly. You need to work with reality, Google, not the way things should be.

This really is pretty lame of Google. Many other sites have to deal with this same kind of "claim your site" problem. They often do it by requiring you to put a code in a comment in one of your webpages, not by creating a new file, but there's any number of other ways to do it that work just dandy and don't open huge security holes.

C'mon, Google, you're supposed to be better than this.

Update: About 8 hours later, Stefanie Olsen says that Google has fixed the issue. Quick response, excellent.

Update: Another security problem at Google, a cross-site scripting vulnerability in Google Base. Apparently, the problem already has been fixed. [via Nathan Weinberg and Danny Sullivan]

Update: When it rains, it pours. Another recent security issue, this one in the Google Mini, that could have allowed arbitrary command execution. It already has been patched. [via Danny Sullivan]


noexes said...

This is pretty stupid thing for Google to do, but an open Google sitemap isn't that big of a security breach. It's not like I'm reading the e-mail of eBay employees or anything.

HollerBee Team said...

Wow, didnt expect that coming. Google buys companies that are doing innovative things, but should consider the possibility that they may not be up to the mark to the values of google.

Greg Linden said...

Noexecs, some of the information might be a big deal. For example, a lot of companies might be interested in the most popular search queries for a competitor, data that you might be able to get through this security hole.

However, the biggest issue could be the ability to change the sitemap for a site. I'm not sure what kind of mischief someone could cause by uploading new sitemaps for sites they don't own, but it doesn't seem like a desirable thing.

noexes said...

Actually, to be honest, I don't really understand this sitemap stuff anyway. So I guess what your talking about is kinda bad, so boo Google.