Google fixes major weakness in Google Apps

by Carl Jongsma
1 comment | 9I like it!
Tags: Google, Google Apps, single sign on
More »
on this topic
September 5, 2008, 10:28 AM —  Computerworld Australia — 

Something that might have gone unnoticed from Google this week is the patching of a serious vulnerability that previously allowed an attacker to exploit a weakness in Google's Single Sign-On service used with Google Apps to take over a victim's Google account.

While the specific information about the vulnerability was not published until Google had patched the issue, it chains together simple concepts, so it is considered likely that it has already been discovered and used by others.

Single Sign On services, whether it is aborted ideas like Microsoft's PassPort, the current Open-ID, or any number of desktop-based integration tools, all have the same basic weakness. Because they are designed to allow access to varied authenticated resources through the use of a common authentication token of some form, then a compromise of the token allows for access to a much broader set of services and assets than the attacker would have had without the Single Sign On system.

Ultimately, use of Single Sign On technologies can be described as a pure security / usability trade-off. In order to gain the usability of not having to remember / provide unique authentication for a series of services, the security of having properly compartmentalized access to each service is forgone.

» posted by ITworld staff

Computerworld Australia

I like it!
Comments
1 comment Add a comment

If you like to have more

If you like to have more information on this vulnerability discovered in the context of a research project called AVANTSSAR, you can access the following link:

http://www.ai-lab.it/armando/GoogleSSOVulnerability.html
by Anonymous (not verified) on 9/11/08 at 4:37 am | reply
View all comments »
Free books

Build your tech library with our book giveaways.

Hacking Exposed, Sixth Edition
By Stuart McClure, Joel Scambray, George Kurtz; Published by McGraw-Hill/Osborne

The original Hacking Exposed authors rejoin forces on this tenth anniversary edition to offer completely up-to-date coverage of today's most devastating hacks and how to prevent them. Using their proven methodology, the authors reveal how to locate and patch system vulnerabilities. The book includes new coverage of ISO images, wireless and RFID attacks, Web 2.0 vulnerabilities, anonymous hacking tools, Ubuntu, Windows Server 2008, mobile devices, and more. Enter now!

Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
Marketplace