October 11th, 2008
Google ignores some reported security problems?
Aviv Raff posted a public disclosure of a minor security risk that could be a major problem if used in conjunction with another type of problem. It’s true that his discovery isn’t really one that (by itself) should keep you up at night, but it’s one that I’m surprised Google’s security team hasn’t squashed it yet due to its potential when used with other vulnerabilities.
I’ll leave you to read Aviv’s description of the problem he discovered, but I’d like to discuss something a little more important. This problem was discovered, and reported to Google six months ago. Google’s official response was “we’ll look into it”, and nothing has happened. Security problems need to be fixed in a timely fashion, especially when we’re talking about a company that is slowly becoming the hub of all personal information.
Granted, this isn’t a huge problem right now, and they’ve probably got bigger fish to fry, however I have also experienced this recently when a vulnerability I found was reported to Google. It was reported well over 2 months ago, and still hasn’t been fixed. What I discovered has privacy implications, and if it’s a “feature” rather than a bug, I think someone should have a talk with the product planners.
I’m not going to disclose the problem yet, but if someone from Google in the security department is reading this, I’d encourage you to send me an email.
Garett Rogers is employed as a programmer for iQmetrix, which specializes in retail management software for the wireless industry. See his full profile and disclosure of his industry affiliations.
