New security hole fixed: Google
Google Inc. on Tuesday said vulnerabilities in its software had been fixed and criticized their revelation online over the holiday weekend.
Bloggers who write about the internet search giant had reported security holes that would allow a specially crafted website to obtain the Gmail contact lists of users who have logged into the free e-mail service or other services such as Blogger that require people to sign into their Google accounts.
People could also gain access to the contact lists by copying and pasting a piece of computer code into a web browser.
The flaw could have enabled an attacker to send malicious messages that contain viruses or other malware to people on an exposed contact list.
Google had repaired the identified problems by Monday afternoon — a little more than a day after receiving reports about them, Heather Adkins, Google's security manager, said in a written statement e-mailed on her behalf to CBC News Online.
"We were first notified that this issue affected Google Video and fixed it within a few hours," Adkins' statement said, addingthat the company later received word that the problem was more widespread.
"The problem with the other products was resolved within 24 hours of the second report. To our knowledge, no one exploited the vulnerability and no users were impacted."
Google Video is the online video sharing service that the company built before buying popular competitor YouTube Inc. on Oct. 9, 2006.
Teen exposed flaw
Adkins' statement included remarks that were critical of the manner in which the security hole was brought to light.
"We strongly encourage anyone who is interested in researching and reporting security issues to follow responsible disclosure practices including giving vendors ample time to respond to reports," the e-mail read.
"Responsible disclosure allows companies like Google to keep users safe by fixing vulnerabilities and resolving security concerns before they are brought to the attention of the bad guys."
The vulnerability was discovered by 16-year-old Haochi Chen of Columbus, Ohio, who reported it on his Googlified blog on Dec. 30.
Chen told CBC News Online on Tuesday that he agreed with Google that care should be exercised when disclosing security holes.
"I think they're right," Chen said.
Asked whether he would do anything differently, he said, "I would wait for a couple of days" more before publishing news of a vulnerability.
But he insisted that the manner in which he exposed the problem was legitimate. "There's nothing wrong with it."
'This feature could be dangerous'
Chen stated in his blog that he discovered the problem after tinkering with an undocumented feature of the Google Video service that lets users e-mail videos to people in their Gmail contact list.
The e-mail feature was reported the same day by Ionut Alex Chitu, who describes himself as a Romanian student who runs the Google Operating System blog.
"This feature could be dangerous," Chen wrote about the contact list problem on Dec. 30.
The next morning he followed up with a comment on his original post, stating, "It is very dangerous. I just confirmed with a few other people. I have also notified the Google Security team."
According to another post by Chen on Jan. 1, Google responded to his alert some 30 hours after he reported the flaw to them — only after word of the vulnerability had spread through a post to the popular social networking news site Digg.
Chen told CBC News Online on Tuesday evening that he had not received any further communications from Google.
In late December, the company also had a problem related to its Gmail free e-mail service, in which users' stored messages and even their entire accounts were irretrievably deleted.