Sunday, January 14, 2007

Google Fixes a Flaw in Blogger Custom Domains

Blogger Custom Domains, the new feature that allows you to have a blog on your own domain, but hosted by Google for free, had a small bug discovered by Tony Ruscoe and Art-One. When you enter a domain, Google doesn't check if it's your domain (there's no reliable way to do that). To setup your blog, you need to create a CNAME record that points your domain to ghs.google.com. But it's not necessary to do that for ghs.google.com itself.

As Art-One discovered, a blog owner entered ghs.google.com by mistake and his blog was hosted on google.com. The problem is that a page hosted on google.com can read your Google cookie and send it to a server. Someone who has your Google cookie can access your account, if you're already logged in. Fortunately, that blog didn't use any malicious scripts, Google was notified and the problem was fixed quickly.

Tony writes more about the issue and reveals some interesting things:

* You can use Blogger Custom Domains to redirect your blog to another domain or subdomain (you can claim it only once). Even though this feature is useful if you move from Blogger and decide to use another blog software (for example, Wordpress installed on your domain), spammers will have an easier way to redirect BlogSpot blogs to their ugly domains.

* Google should make sure "nobody can host or inject content (and particularly scripts)" on google.com.

* It's a good idea to log out of Google when you're not using Google services and to delete your cookies from time to time (for example, at the end of each bowser session).

Incidents like this are rare and there's no reason to panic.

No comments:

Post a Comment