Security Flaw With Google Sitemaps Stats
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Y! MyWeb
Share:
Sponsors:
By Steve Malone
Search engine Google has acted quickly to plug an embarrassing hole in its Sitemaps facility. Visitors who 'verified' that they owned a site with Sitemaps could see private information about the site.
Sitemaps is a facility provided by Google that provides webmasters with information about their sites. Some of it - such as 'links' and 'inurl' - is meant to be public but other data is supposedly only available to the site owners. A bug crept in that allowed anyone to claim they had a right to see the information.The problem arose in the way that Google checks that the visitor 'owns' the site. The search engine does this by generating a unique page URL that has to be placed under the domain name. When asked to verify, Google will check whether the page exists. However, it turns out that this is not quite what it does. What it checked was whether it received a '404 Page Not Found' message. Some sites do not generate a 404 but instead say, refer the request to a similar page. In these cases Google would accept that the page had been 'verified' and provide the Sitemaps account with the information.
To be fair, the private information was not that detailed and mostly consists of referred pages although Google has promised to increase the information provided in the future. However, it is embarrassing that a company which boasts wall to wall Computer Science PhDs should get caught out by such a simple oversight.
In a blog posting, Vanessa Fox from Google Engineering said that the bug is one which has crept in recently. When Sitemaps was introduced a couple of months ago the system checked to make sure that the web server is configured to return a 404 correctly when a request for a non-existent page is made. According to Fox 'with our latest release, a bug prevented this process from working correctly'.
Google is also attempting reassure webmasters who may be alarmed at Google revealing potentially sensitive information. Fox says that the hole has been plugged, and to ensure the security of all sites using the Google Sitemaps tool, the company will re-verify all sites added in the previous 48 hours.
Article submitted by: Webshark
Last Update: 11-21-2005
Category: Off Topic Info
Search engine Google has acted quickly to plug an embarrassing hole in its Sitemaps facility. Visitors who 'verified' that they owned a site with Sitemaps could see private information about the site.
Sitemaps is a facility provided by Google that provides webmasters with information about their sites. Some of it - such as 'links' and 'inurl' - is meant to be public but other data is supposedly only available to the site owners. A bug crept in that allowed anyone to claim they had a right to see the information.The problem arose in the way that Google checks that the visitor 'owns' the site. The search engine does this by generating a unique page URL that has to be placed under the domain name. When asked to verify, Google will check whether the page exists. However, it turns out that this is not quite what it does. What it checked was whether it received a '404 Page Not Found' message. Some sites do not generate a 404 but instead say, refer the request to a similar page. In these cases Google would accept that the page had been 'verified' and provide the Sitemaps account with the information.
To be fair, the private information was not that detailed and mostly consists of referred pages although Google has promised to increase the information provided in the future. However, it is embarrassing that a company which boasts wall to wall Computer Science PhDs should get caught out by such a simple oversight.
In a blog posting, Vanessa Fox from Google Engineering said that the bug is one which has crept in recently. When Sitemaps was introduced a couple of months ago the system checked to make sure that the web server is configured to return a 404 correctly when a request for a non-existent page is made. According to Fox 'with our latest release, a bug prevented this process from working correctly'.
Google is also attempting reassure webmasters who may be alarmed at Google revealing potentially sensitive information. Fox says that the hole has been plugged, and to ensure the security of all sites using the Google Sitemaps tool, the company will re-verify all sites added in the previous 48 hours.
Article submitted by: Webshark
Last Update: 11-21-2005
Category: Off Topic Info
Current rating: 5.32 by 43 users
| Would you recommend this article to a friend? |
| Not a Chance | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Absolutely |
Related News Stories
(14,956 reads) 03-29-2007
· Adobe Photoshop CS3 published(12,900 reads) 08-03-2006
· FBI calls for hacker help.(14,763 reads) 07-20-2006
· Become a Friend of Firefox.(12,550 reads) 07-15-2006
· Recently unearthed e-mail reveals what life was like in 1995(14,351 reads) 02-23-2006
· Inside Windows Vista ( Build 5308) + slide show(13,063 reads) 02-21-2006
· do-you-have-a.COM ? thinking-to-buy-a.COM ?(13,230 reads) 01-17-2006
· Websites judged in milliseconds(13,828 reads) 01-17-2006
· Stolen Corvette found after 37 years (Reuters)(13,448 reads) 01-17-2006
· Two patients in surgical slip-up (Reuters)(12,833 reads) 01-17-2006
· Goose Poop a Problem for Oakland Parkgoers (AP)
Please register or sign-in to post comments.