blob: dd995d862b98dd9c156f9252ac53b96036571c8d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
Google Video is exposing your username and password when you post videos through the provided webform on Google Video.
It would seem that [Google Video][2] sends your username and password *as cleartext* over the http protocol rather than using the more secure https. This means that nearly anyone can grab your login information when you share videos or post them to your MySpace page or blog.
The issue was reported earlier this morning on [Search Engine Roundtable][1], which explains how to replicate the hack.
>Want to see for yourself? First, install the [Live HTTP Headers Firefox add-on][3]. Then, go to Google Video. When you click on Post to MySpace, you get a link [like this][4] in a popup window. On this window where you input your username and password, go to the Firefox Tools menu > Live HTTP Headers. What you see is your username and password in plain text.
SERoundtable demonstrates with MySpace, I followed their instructions, but ran it against my Typepad account and it does indeed reveal the username and password (blacked out in the screenshot below).
Hopefully Google will address the problem in the very near future since it's a very amateur web programming mistake, but there's no telling how many people might be harvesting the data in the mean time.
[1]: http://www.seroundtable.com/archives/013820.html "Google Video Flaw Raises Privacy Concerns by Exposing Usernames and Passwords"
[2]: http://video.google.com/ "Google Video"
[3]: https://addons.mozilla.org/en-US/firefox/addon/3829 "Live HTTP headers"
[4]: http://video.google.com/blogpost?docid=7274049881792333623&siteindex=3
|
