Monday, September 15, 2008
Google-oopsA big tip o'the hat to Kim Cameron who today points out a security white paper from US-CERT describing an incredibly bad - and incredibly naive - security vulnerability in Google's SSO implementation.
The kicker isn't that there is a vulnerability, but, as Kim says, "the surprising fact is that the errors made are incredibly basic."
The Google wunderkind evidently ignored major parts of the SAML spec (while claiming to be SAML compliant) leaving the SSO completely open to the most basic insider attack. More incredibly, they extended this vulnerability to third parties so that their insiders could get in on the attack!
Gogle just turned ten, but it's thinking is more like that of a 17-year-old, one who knows what they want to do and can't be bothered to cross all the t's and dot all the i's in their head-long rush for personal fulfillment. They also think they'll live forever, and that they discovered sex (drugs, rock & roll, whatever). It's a very dangerous age but - if they survive it - they may go on to do great things. My hope is that the rest of us survive it, also.
Comments: Post a Comment
© 2003-2006 The Virtual Quill, All Rights Reserved Home