Google says it has now fixed a security problem with its Google Accounts service, which provides a cookie-based way for people to log into various Google services.
Last Thursday, Google Blogoscope pointed to a forum discussion (and also here) that suggested Google's Froogle service in particular might inadvertently let people access Gmail accounts, because account information embedded in the Google cookie could be hijacked.
I emailed Google about this on Friday and received back the following statement:
Google was recently alerted to a potential security vulnerability affecting Froogle. We have since fixed this vulnerability, and all current and future Froogle users are protected.
Spotted via Organized Shopping, eWeek has a nice write-up in Google Plugs Cookie-Theft Data Leak on what happened, with quotes from Nir Goldshlager, a security research who spotted the hole. He also warns that anyone who had their cookie stolen would still be at risk.
JUNE SALE! Save 15%*
Save on all e-learning certification courses, including: SEO, Social Media, Online Marketing Foundation, Web Analytics and more. Enter CZAJU at checkout »
Offer expires June 30. *Discount not applicable on SES Online products.
