09.15.06Clever Hack
Eric Farraro discovered a flaw in Google’s University Search program. Essentially you can upload your own markup to make your university search page look nice. The page is actually hosted on Google’s domain, and through the use of Javascript Eric was able to hijack the site and pretend to be Google’s Mail service GMail in order to grab usernames and passwords as a proof of concept.
Amazingly enough Google fails to obey the first rule in online data handling: assume the incoming data isn’t trustworthy. Most every blog software doesn’t allow for arbitrary HTML in its comments for this very reason. However, I hope Google has learned their lesson and will be less trusting in the future.
