Google says it has now fixed a security problem with its Google Accounts service, which provides a cookie-based way for people to log into various Google services.
Last Thursday, Google Blogoscope pointed to a
forum discussion (and also here) that suggested Google’s
Froogle service in particular might inadvertently let people access Gmail accounts, because account information embedded in the Google cookie could be hijacked.
I emailed Google about this on Friday and received back the following statement:
Google was recently alerted to a potential security vulnerability affecting Froogle. We have since fixed this vulnerability, and all current and future Froogle users are
Spotted via Organized Shopping, eWeek has a nice write-up in Google Plugs
Cookie-Theft Data Leak on what happened, with quotes from Nir Goldshlager, a security research who spotted the hole. He also warns that anyone who had their cookie stolen
would still be at risk.