Skip to navigation

malevolent design weblog

This blog is now defunct, but you can find more stuff over at my personal site

Going Phishing With Google

The Google exploit published yesterday, allowing anyone to put whatever they want on a Google page with a nice tidy URL, is pretty bad. It’s such a fundamental design error that it’s clear absolutely no one involved in the development of that feature has even a rudimentary knowledge of web application security.

Basically, allowing users to display their own HTML on your site is always dangerous. Many developers overlook the risks or think they can put in a few filters to remove certain tags, but that’s not robust enough, as MySpace demonstrated. The only way to make arbitrary markup safe is by parsing it, finding and pulling apart each tag then rebuilding it all from scratch with only the permitted tags, attributes and content included. I think Google actually does this in Gmail, as its behaviour with broken HTML emails doesn’t seem to indicate simple filtering.

In the case of Google’s Public Service Search, even forbidding scripts, CSS, frames and forms might not be enough; someone could still include malicious information and links (e.g. to download spyware) to misuse Google’s reputation. They may have to switch to only allowing a header image (as with PayPal) and force institutions who need more thorough integration to host their own search pages, with Google’s content inserted via JavaScript or server-side code.


Comments are now closed for this entry.