Google fixes major weakness in Google Apps

by Carl Jongsma
1 comment | 9I like it!
Tags: Google, Google Apps, single sign on
More »
on this topic
September 5, 2008, 10:28 AM —  Computerworld Australia — 

Something that might have gone unnoticed from Google this week is the patching of a serious vulnerability that previously allowed an attacker to exploit a weakness in Google's Single Sign-On service used with Google Apps to take over a victim's Google account.

While the specific information about the vulnerability was not published until Google had patched the issue, it chains together simple concepts, so it is considered likely that it has already been discovered and used by others.

Single Sign On services, whether it is aborted ideas like Microsoft's PassPort, the current Open-ID, or any number of desktop-based integration tools, all have the same basic weakness. Because they are designed to allow access to varied authenticated resources through the use of a common authentication token of some form, then a compromise of the token allows for access to a much broader set of services and assets than the attacker would have had without the Single Sign On system.

Ultimately, use of Single Sign On technologies can be described as a pure security / usability trade-off. In order to gain the usability of not having to remember / provide unique authentication for a series of services, the security of having properly compartmentalized access to each service is forgone.

» posted by ITworld staff

Computerworld Australia

I like it!
Comments
1 comment Add a comment

If you like to have more

If you like to have more information on this vulnerability discovered in the context of a research project called AVANTSSAR, you can access the following link:

http://www.ai-lab.it/armando/GoogleSSOVulnerability.html
by Anonymous (not verified) on 9/11/08 at 4:37 am | reply
View all comments »
Free books

Build your tech library with our book giveaways.

Windows PowerShell 2.0 Unleashed
By Tyson Kopczynski, Pete Handley, Marco Shaw; Published by Sams

Windows PowerShell Unleashed will not only give you deep mastery over PowerShell but also a greater understanding of the features being introduced in PowerShell 2.0–and show you how to use it to solve your challenges in your production environment. Enter now!

 

Ubuntu Server Administration
By Michael Jang; Published by McGraw-Hill Osborne Media

Realize a dynamic, stable, and secure Ubuntu Server environment with expert guidance, tips, and techniques from a Linux professional. Ubuntu Server Administration covers every facet of system management -- from users and file systems to performance tuning and troubleshooting. Enter now!

Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
More Resources