Security Flaw With Google Sitemaps Stats


Del.icio.us  Digg  Google  Spurl  Blink  Furl  Y! MyWeb  
Share:
Sponsors:

By Steve Malone

Search engine Google has acted quickly to plug an embarrassing hole in its Sitemaps facility. Visitors who 'verified' that they owned a site with Sitemaps could see private information about the site.

Sitemaps is a facility provided by Google that provides webmasters with information about their sites. Some of it - such as 'links' and 'inurl' - is meant to be public but other data is supposedly only available to the site owners. A bug crept in that allowed anyone to claim they had a right to see the information.The problem arose in the way that Google checks that the visitor 'owns' the site. The search engine does this by generating a unique page URL that has to be placed under the domain name. When asked to verify, Google will check whether the page exists. However, it turns out that this is not quite what it does. What it checked was whether it received a '404 Page Not Found' message. Some sites do not generate a 404 but instead say, refer the request to a similar page. In these cases Google would accept that the page had been 'verified' and provide the Sitemaps account with the information.

To be fair, the private information was not that detailed and mostly consists of referred pages although Google has promised to increase the information provided in the future. However, it is embarrassing that a company which boasts wall to wall Computer Science PhDs should get caught out by such a simple oversight.

In a blog posting, Vanessa Fox from Google Engineering said that the bug is one which has crept in recently. When Sitemaps was introduced a couple of months ago the system checked to make sure that the web server is configured to return a 404 correctly when a request for a non-existent page is made. According to Fox 'with our latest release, a bug prevented this process from working correctly'.

Google is also attempting reassure webmasters who may be alarmed at Google revealing potentially sensitive information. Fox says that the hole has been plugged, and to ensure the security of all sites using the Google Sitemaps tool, the company will re-verify all sites added in the previous 48 hours.

Article submitted by: Webshark
Last Update: 11-21-2005
Category: Off Topic Info

Print | E-mail


Current rating: 5.32 by 43 users
Would you recommend this article to a friend?

Not a Chance 12345678910 Absolutely

Please register or sign-in to post comments.


Related News Stories

(15,152 reads) 03-29-2007
 · Adobe Photoshop CS3 published
(13,140 reads) 08-03-2006
 · FBI calls for hacker help.
(14,969 reads) 07-20-2006
 · Become a Friend of Firefox.
(14,559 reads) 02-23-2006
 ·  Inside Windows Vista ( Build 5308) + slide show
(13,261 reads) 02-21-2006
 · do-you-have-a.COM ? thinking-to-buy-a.COM ?
(13,434 reads) 01-17-2006
 · Websites judged in milliseconds
(14,024 reads) 01-17-2006
 · Stolen Corvette found after 37 years (Reuters)
(13,636 reads) 01-17-2006
 · Two patients in surgical slip-up (Reuters)
(13,025 reads) 01-17-2006
 · Goose Poop a Problem for Oakland Parkgoers (AP)