Google Web Accelerator Security Problem?

Story Text:

A Lifehacker report led me to Something Awful Forum , a forum I must confess to not knowing. They report that while using Google Web Accelerator they’re seeing forum pages logged in as a user other than their own nickname. As I tried and canned Accelerator, I cannot confirm that this is true, perhaps someone who still has it cen report here.

The fix is to add the forums URL to Web Accelerators “Do not accelerate this web site” list, but that doesn’t make it less of a security risk. It’s worth it to mention that Google-watcher Phillip Lennsen was unable to reproduce this bug.

There is a fuller report on this at BlogNewsChannel

And our old friend "Backback" is also reporting

Jason Fried at 37Signals, the company who developed the Backpack web app, reports that Google Web Accelerator’s pre-fetching was deleting Backpack pages without user consent.


Really quick fix for GWA

<Limit GET POST>
order allow,deny
allow from all
deny from 72.14.192

Also, check out this scary article. I hope nobody is using GET data for UI commands.

it's offline now Seeing Toolbar v3 since 5 minutes

Nah ...

it's either up again or still where I am.

same old quality control

As I speculated elsewhere, the web accelerator had about as much quality control and testing as everything else that they release on the unsuspecting masses. Exactly none.

Are they ever going to release even one product that does not suffer from a slew of problems within days of release?

They always claim beta status on their releases. Perhaps they should consider that alpha precedes beta.

here's a good one ...

In addition I have found it impossible to use my web mail with this running because as soon as I sign in Google Web Accelerator is “clicking” on the sign-out link, and killing my session.

You’d have thought Google would think these things through a bit more, considering all the great minds they’re supposed to have working for them

what were they thinking?

were they thinking at all?

And while I am on the subject of thinking, their errors could have been avoided had they read the source code and documentation for SQUID. Or maybe they did, but as usual, decided they knew better.

The phishing pond just got a lot larger

Load the "accelerator" and start hunting down admin panels...whoo hoo!

and another ...

To see a dangerous use, you have to look no farther than Google’s own Blogger. If you post a comment on a blogger weblog, and if you are logged on, you can see a delete icon near your comments. If you are the owner of the weblog, you can see the delete icon near *all* the comments. This icon has a plain link to a script that deletes the message without any server side confirmation.

Have I missed something

or is nobody commenting on their finally pulling GWA?

Ok, so maybe it's just the Sunday/weekend blues ... :-)


You're good at reading between the lines fanto ; ]

Have they set the maximum number of users to zero??

BTW - which G engineer's 20%-project was this thing anyway????

As someone else pointed out somwhere

... it may very well be a case for
(You by any chance involved in this, Mikkel? Looks pretty black hat to me - well, "hatless/headless" really.)

The headlines! "Bloodbath at the 'plex!", "The Mountainview Chain Saw Massacre!", ah - for an uplifting day dream ... :-)


> (You by any chance involved in this, Mikkel? Looks pretty black hat to me - well, "hatless/headless" really.)

Nope, nothing to do with me :)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.