22 comments

[ 3.2 ms ] story [ 80.1 ms ] thread
I panicked initially thinking this issue was not yet resolved by Google!

Well done Saket, thanks for waiting for the bug to get fixed before posting your article.

Even when I show this bug 1st, I was totally shocked how this can be possible..
It really does feel that video demonstrations of bugs are the way to go, if you're trying to convince teams of a problem.
I think he reached out to the support team instead of the security team. Pretty stupid of the support team to not take security bug reports seriously.
I'm not very surprised. If he told me about it, I would find it quite hard to believe that Google's programmers made such an error too.
It's always the assumptions that get you.
This. A thousand times this. Especially when investigating security issues, assume everything could be vulnerable or broken until proven otherwise.
Even I was shocked when I 1st show this bug..
Ya because at that time I wasn't able to find any way to get in direct contact with them via phone call..
The actual screen-cast which I made for them, I deleted it for security reason..
Either way, this is a fairly noob error - confusing authentication with authorization. I'm very surprised that business critical G Apps team hasn't caught on to this before.

They should probably give him the maximum reward just to attempt to save face on this.

Anyways, from now on (from http://www.google.com/about/company/rewardprogram.html):

>If you have found a vulnerability, please contact us at security@google.com. Feel free to be succinct: the mailbox is attended by security engineers, and a short proof-of-concept link is more valuable than a video explaining the consequences of an XSS bug. Oh: if necessary, you can use this PGP key.

Ya it is a kind of noob error but as its a human made thing so mistake can happen..
Significant authentication bypass or information leak = $10,000
It was probably a logic error—a mistake in a table look up or somesuch—if an account can manage more than one domain name.
This bug seems glaringly obvious. Any page which has the user login and password credentials for Enom Domain Manager page would initially have someone like me who is more security conscious looking at things like the URL and also noticing this type of bug.

Then again, you'd need to buy your domain through Google Apps to notice this. Maybe not many people buy their domain through Google Apps?

I'm interested to know how long this bug was out in the wild before it was found. Months? Days?

Good find Saket and great story.

Ya not many people buy domains through Google Apps.. And I am not sure about from how long this bug was there because I soon as I show it I reported about the same.. Thanks.. :)
I wonder how long this bug was out in the wild before being reported.
This is quite exactly why I would never consider using the Google cloud, or any customer-facing Google services for our business. Google is set up for B2B, not B2C. Their job is to minimize customer service calls. We use Google Apps at our business. The absolute only way we've been able to get useful support when something breaks was to either call up a VP-level contact, or call up a colleague who works at Google, and ask for a personal favor. This does not scale.

I also know of the number of serious Google bugs we've run into that we just didn't report because, quite frankly, we gave up on any bug reporting process having any effect.

Contrast this to Amazon where our rep can put us in contact with engineers in a few minutes, and who are of the caliber that they can e.g. help us recover a database where the RAID volume Amazon hosted it on was damaged in a power outage.

I've had the same experience as well which is why we canned Google Apps during the trials for our business. We had a show stopper when doing a test exchange migration and we never got an email reply and never found a human to talk to that could help. That failed the risk mitigation criteria of the trial so we binned it.

I have absolutely no faith in them to actually sort something out in a reasonable amount of time.

Conversely, we used Office365 in the end and it blew up(ironically with a similar issue) during the trials. We had someone useful on the phone helping us in under 20 minutes!

I've not had much luck with Amazon, particularly S3 as we had a number of issues with the .Net client and they weren't very helpful. Stackoverflow was far more useful but I don't want to trust stackoverflow as a long term support option!

With Amazon, we have a business support contract. The first-line phone operators are pretty bad -- they're neither technical nor fluent in English -- but we've been able to work up to competent people pretty quick in the one emergency we've had since launching. Both organizations are courting us pretty hard, so we may be a special case.

Google is a little weird. They've insisted on e.g. a conference calls with a half-dozen guys from Google, including one executive-level. That call was entirely one-sided. They told us about all sorts of features they were building because they thought our market segment needed them (zero of which were actually useful to us, and which they could have discovered with even very minimal market research). In that conference call, they didn't listen to any of our bugs or feature requests. Whenever we've submitted support requests through official channels, they went into what was effectively a black hole (sometimes, we'd get a slightly derogatory response from someone clearly powerless and clueless). Things we submit to through high-level contacts get handled -- roughly as well although slightly slower than normal, paid contacts at Amazon. The culture at Google is a little weird, at least with respect to dealing with large customers.

We do use Google Apps internally. It's imperfect and has showstoppers, but in my experience, corporate IT departments are even more imperfect, and have even more showstoppers. Based on our experiences, I'd be absolutely terrified of using Google for anything customer-facing.

There was a similar and recent vulnerability in google webmaster tools as well.

Very scary. But what stellar alternatives exist for startups?

He should have asked for their names and added them to the blog post. That's pretty lame to be laughing at someone, most likely because english is his second language and the explanation technical in nature.

He's a better man than me. I probably would have hung up and posted directly to here instead.