The world’s largest search service provider has recently patched a security vulnerability that could allow attackers to steal cookies and other information from users of its newly launched content posting service.
The flaw enabled hackers to embed fake models in the small pages of Google Base. This issue, also known as an XSS (cross-site scripting) vulnerability, has previously occurred with Google’s search engine and Yahoo’s mapping program.
“The vulnerability was very easy to detect. It seems that Google did not conduct thorough testing, so there are still some minor glitches in Google Base,” remarked Jim Ley, a British computer expert who reported the flaw.
Previously, Google had also faced criticism for being too secretive about the security technologies it employs for its products. While Microsoft publicly outlines the steps taken to enhance software safety, Google refuses to address this topic and only asserts that it has dedicated staff responsible for security.
“Google didn’t even email me back to acknowledge the flaw. They quietly reviewed and fixed it. I guess they think that what the public doesn’t know, they don’t have to worry about,” Ley wrote on his blog.
Also last week, Yahoo, AOL, and Verizon collaborated to establish a technology standard aimed at regulating behavior on software download websites to reduce the risks associated with adware and spyware.
The technology, managed by the independent online company TRUSTe (USA), will ensure that download sites must clearly inform users whether the software they intend to download contains adware or other tracking programs.
Websites will also be required to warn users if the software causes any changes to PC settings, allowing users to make a choice before the download process begins.
The pilot program is set to launch early next year.
