Google announced last week that the company had joined the ranks of a small group of other organizations that pay researchers for finding bugs in its code.
The company will pay $500 per bug found in Chromium, the open-source code that powers the company's Chrome Internet browser, Google stated in a blog post published on Thursday. For extremely critical issues, as judged by the company's security team, Google will pay $1,337 -- a play on hackerspeak for "leet" or elite.
"We are hoping that the introduction of this program will encourage new individuals to participate in Chromium security," Chris Evans, a member of Google's Chrome security team, stated in the blog post. "The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be."
The search giant is far from the first company to agree to pay security researcher who find and privately disclose bugs. Google's program is based on browser maker Mozilla's bug bounty. In addition, security firms TippingPoint and iDefense both pay for critical bugs in other companies' software, using the information to protect their own customers.
In the blog post, Google's Evans appeared to indicate that only responsibly disclosed vulnerabilities would be considered for a reward and that bugs publicly disclosed without giving Google developers time to fix would not be considered.
"We encourage responsible disclosure," Evans wrote. "Note that we believe responsible disclosure is a two-way street; it's our job to fix serious bugs within a reasonable time frame."
Bug bounties allow researchers to receive a small amount of cash for their research, but pale in comparison to the fees that critical issues can command from cybercriminals and government cyber programs. Exploits for a serious flaw in a popular program can sell for more than $100,000.
Showing posts with label Google. Show all posts
Showing posts with label Google. Show all posts
Monday, February 8, 2010
Sunday, February 7, 2010
40,000 More Extensions!
One thing that got lost in the commotion of the extensions launch is a feature that is near and dear to my heart: Google Chrome 4 now natively supports Greasemonkey user scripts. Greasemonkey is a Firefox extension I wrote in 2004 that allows developers to customize web pages using simple JavaScript and it was the inspiration for some important parts of our extension system.
Ever since the beginning of the Chromium project, friends and coworkers have been asking me to add support for user scripts in Google Chrome. I’m happy to report that as of the last Google Chrome release, you can install any user script with a single click. So, now you can use emoticons on blogger. Or, you can browse Google Image Search with a fancy lightbox. In fact, there’s over 40,000 scripts on userscripts.org alone.
Installation is quick and easy, just like installing an extension. That’s because under the covers, the user script is actually converted into an extension. This means that management tasks like disabling and uninstalling work just like they do with extensions.
Note that user scripts are powerful software and have full access to your private data on any web site. So, for example, they could read all your web mail or access your online bank. Be sure to read the comments on any user scripts in order to decide whether you trust the author with this power.
Also keep in mind that some user scripts won’t work in Google Chrome yet, because of differences between it and Firefox. Based on some analysis that the current maintainers of Greasemonkey did, I expect between 15%-25% of scripts to not work in Google Chrome. If you find such a script, you should consider letting the author know. There may be something he or she can do to easily fix the problem. In the meantime, we’ll keep working on bugs on our side to bring our implementation closer to Greasemonkey.
Have fun trying out the thousands of available scripts. And don’t worry - If you get bored, there’s lots more extensions at Google Chrome’s extension gallery.
source : http://www.hacking-news.com/
Ever since the beginning of the Chromium project, friends and coworkers have been asking me to add support for user scripts in Google Chrome. I’m happy to report that as of the last Google Chrome release, you can install any user script with a single click. So, now you can use emoticons on blogger. Or, you can browse Google Image Search with a fancy lightbox. In fact, there’s over 40,000 scripts on userscripts.org alone.
Installation is quick and easy, just like installing an extension. That’s because under the covers, the user script is actually converted into an extension. This means that management tasks like disabling and uninstalling work just like they do with extensions.
Note that user scripts are powerful software and have full access to your private data on any web site. So, for example, they could read all your web mail or access your online bank. Be sure to read the comments on any user scripts in order to decide whether you trust the author with this power.
Also keep in mind that some user scripts won’t work in Google Chrome yet, because of differences between it and Firefox. Based on some analysis that the current maintainers of Greasemonkey did, I expect between 15%-25% of scripts to not work in Google Chrome. If you find such a script, you should consider letting the author know. There may be something he or she can do to easily fix the problem. In the meantime, we’ll keep working on bugs on our side to bring our implementation closer to Greasemonkey.
Have fun trying out the thousands of available scripts. And don’t worry - If you get bored, there’s lots more extensions at Google Chrome’s extension gallery.
source : http://www.hacking-news.com/
Google aims to speed up DNS requests
Google and Neustar UltraDNS have proposed a extension to try to build some geographic awareness into the Domain Name System.
The proposed extension, called Client IP information in DNS requests, would send along the first three quarters of a user’s IP address along with an DNS request. The last quarter would be cut off to preserve some privacy, but the first part should be enough to geographically target the answer in some cases, Google said in a blog post on Wednesday.
As designed, it would, for example, return the address for Google’s Dutch server, not Google’s California server, to a user in the Netherlands who needs to reach it.
For more on this story, see Google proposes geo-smart Internet speedup on CNET News.
Google aims to speed up DNS requests
Google and Neustar UltraDNS have proposed a extension to try to build some geographic awareness into the Domain Name System.
The proposed extension, called Client IP information in DNS requests, would send along the first three quarters of a user’s IP address along with an DNS request. The last quarter would be cut off to preserve some privacy, but the first part should be enough to geographically target the answer in some cases, Google said in a blog post on Wednesday.
As designed, it would, for example, return the address for Google’s Dutch server, not Google’s California server, to a user in the Netherlands who needs to reach it.
For more on this story, see Google proposes geo-smart Internet speedup on CNET News.
The proposed extension, called Client IP information in DNS requests, would send along the first three quarters of a user’s IP address along with an DNS request. The last quarter would be cut off to preserve some privacy, but the first part should be enough to geographically target the answer in some cases, Google said in a blog post on Wednesday.
As designed, it would, for example, return the address for Google’s Dutch server, not Google’s California server, to a user in the Netherlands who needs to reach it.
For more on this story, see Google proposes geo-smart Internet speedup on CNET News.
Google to drop IE6 support in cloud apps
Search and advertising giant Google is phasing out support for Internet Explorer 6 in its cloud services, starting with Google Docs and Google Sites, from 1 March.
Google announced in a blog post on Friday that from the beginning of March, certain key functionality in Google Docs and Google Sites “would not work properly” with IE6 and older versions of other browsers.
“Please take the time to switch your organisation to the most up-to-date browsers available,” said Rajen Sheth, Google Apps senior product manager, in the blog post.
The company is urging Google Apps users to move to IE7, Firefox 3.0, Chrome 4.0 or Safari 3.0, or more recent versions of those browsers. Net Applications put IE6’s share of the general browser market in January at about 20 percent, bettered only by IE8 at 22 percent. In April, Forrester Research found that 60 percent of enterprises used IE6 as their default browser.
Google has not specified precisely which Apps functionalities in older browsers will be affected. However, the company said it wants to support HTML 5, the latest version of markup language HTML, which is not supported by older browsers.
“Older browsers were not designed to handle new web-based applications, which means they don’t support modern web technologies like HTML 5 and advanced JavaScript processing,” a Google spokesperson said. “For example, IE6 doesn’t support HTML 5, and IE6 and [Firefox 2] do not process JavaScript nearly as efficiently as newer versions of IE and FF.”
The dropping of support means Google will not fix issues specific to older browsers and will not develop new features for them. However, users will still be able to access Google Docs and Sites using the software.
“With Google Docs, we plan on continuing to support view-only mode in IE6, and we will still support viewing of Google Sites in IE6,” the company’s spokesperson said.
Goggle’s phasing out of support for IE6 has nothing to do with the recent security problems Google encountered through IE6 use, according to the spokesperson.
“No, this was already planned and is being done so we can continue using the latest web technologies to bring new, innovative features to our users,” the spokesperson said. “We’re following other companies that have done the same, like Twitter, Facebook and Microsoft for Office Web Apps.”
Earlier this month, Microsoft admitted that Chinese attacks on Google and other companies had exploited a hole in IE6, which was also present in IE7 and IE8.
At the time, the flaw did not have a patch, leading the French and German governments to recommend that users update to the later versions of IE, or switch browsers.
The UK government urged users to update their browsers, but said that switching browsers was unnecessary. Various government departments, including the Department for Work and Pensions (DWP), the Department of Health (DoH) and the Department for Business, Innovation and Skills (BIS) use IE6 on all desktop and laptop computers.
The DoH issued advice to its users on 21 January saying they should upgrade to IE7. “It is recommended that organisations still using Internet Explorer 6 on the affected platforms upgrade to Internet Explorer 7,” it said, in email advice seen by ZDNet UK. Internet Explorer 7 has gone through an internal accreditation process, said the DoH, and as a result has been verified to work correctly within the central NHS system, known as the NHS Spine.
Microsoft released an out-of-band patch for the IE zero-day on 21 January.
Source : http://www.hacking-news.com/
Google announced in a blog post on Friday that from the beginning of March, certain key functionality in Google Docs and Google Sites “would not work properly” with IE6 and older versions of other browsers.
“Please take the time to switch your organisation to the most up-to-date browsers available,” said Rajen Sheth, Google Apps senior product manager, in the blog post.
The company is urging Google Apps users to move to IE7, Firefox 3.0, Chrome 4.0 or Safari 3.0, or more recent versions of those browsers. Net Applications put IE6’s share of the general browser market in January at about 20 percent, bettered only by IE8 at 22 percent. In April, Forrester Research found that 60 percent of enterprises used IE6 as their default browser.
Google has not specified precisely which Apps functionalities in older browsers will be affected. However, the company said it wants to support HTML 5, the latest version of markup language HTML, which is not supported by older browsers.
“Older browsers were not designed to handle new web-based applications, which means they don’t support modern web technologies like HTML 5 and advanced JavaScript processing,” a Google spokesperson said. “For example, IE6 doesn’t support HTML 5, and IE6 and [Firefox 2] do not process JavaScript nearly as efficiently as newer versions of IE and FF.”
The dropping of support means Google will not fix issues specific to older browsers and will not develop new features for them. However, users will still be able to access Google Docs and Sites using the software.
“With Google Docs, we plan on continuing to support view-only mode in IE6, and we will still support viewing of Google Sites in IE6,” the company’s spokesperson said.
Goggle’s phasing out of support for IE6 has nothing to do with the recent security problems Google encountered through IE6 use, according to the spokesperson.
“No, this was already planned and is being done so we can continue using the latest web technologies to bring new, innovative features to our users,” the spokesperson said. “We’re following other companies that have done the same, like Twitter, Facebook and Microsoft for Office Web Apps.”
Earlier this month, Microsoft admitted that Chinese attacks on Google and other companies had exploited a hole in IE6, which was also present in IE7 and IE8.
At the time, the flaw did not have a patch, leading the French and German governments to recommend that users update to the later versions of IE, or switch browsers.
The UK government urged users to update their browsers, but said that switching browsers was unnecessary. Various government departments, including the Department for Work and Pensions (DWP), the Department of Health (DoH) and the Department for Business, Innovation and Skills (BIS) use IE6 on all desktop and laptop computers.
The DoH issued advice to its users on 21 January saying they should upgrade to IE7. “It is recommended that organisations still using Internet Explorer 6 on the affected platforms upgrade to Internet Explorer 7,” it said, in email advice seen by ZDNet UK. Internet Explorer 7 has gone through an internal accreditation process, said the DoH, and as a result has been verified to work correctly within the central NHS system, known as the NHS Spine.
Microsoft released an out-of-band patch for the IE zero-day on 21 January.
Source : http://www.hacking-news.com/
Wednesday, December 16, 2009
An Accidental Google Hack
Whilst looking at the security of a web application today I was able to extract the usernames and passwords using SQL Injection, which was nice. Well being a bit of a newbie after I got the passwords I was confused about the encoding/encryption. I managed to figure it out by using the encoding page on Clez.net and by encoding/decoding one of the password that I knew the cleartext of (my test account). It was using Base64 reversed. I also noticed that many of the passwords were =Qmcvd3czFGc which decoded to password (after reversing it).
Now the accidental bit.
My friend Bob got to hear of this and decided to Google the reverse Base64 string "=Qmcvd3czFGc". He got a few hits, but the first result was real interesting.
It seems his fist hit returned email addresses, login names, weird strings that might be base64 reverse encoded passwords (he'll look into that later I imagine).
Then Bob put his Google Fu to work. Seeing that the site had some interesting details available to just about anyone he wondered just how much Google had indexed.
site:yimwhan.com filetype:txt intext:password
Oh dear...within seconds Bob found a password. Surely it was old and probably not active anymore?
Well we all know Bob, his curiosity gets the better of him.
Bob just couldn't help himself could he!
I think this clearly demonstrates that anything you send can and probably will be picked up by Google and someone like Bob might just stumble across it at some time in the future. It might be an idea to think before you post!
Now the accidental bit.
My friend Bob got to hear of this and decided to Google the reverse Base64 string "=Qmcvd3czFGc". He got a few hits, but the first result was real interesting.
It seems his fist hit returned email addresses, login names, weird strings that might be base64 reverse encoded passwords (he'll look into that later I imagine).
Then Bob put his Google Fu to work. Seeing that the site had some interesting details available to just about anyone he wondered just how much Google had indexed.
site:yimwhan.com filetype:txt intext:password
Oh dear...within seconds Bob found a password. Surely it was old and probably not active anymore?
Well we all know Bob, his curiosity gets the better of him.
Bob just couldn't help himself could he!
I think this clearly demonstrates that anything you send can and probably will be picked up by Google and someone like Bob might just stumble across it at some time in the future. It might be an idea to think before you post!
An Accidental Google Hack
Whilst looking at the security of a web application today I was able to extract the usernames and passwords using SQL Injection, which was nice. Well being a bit of a newbie after I got the passwords I was confused about the encoding/encryption. I managed to figure it out by using the encoding page on Clez.net and by encoding/decoding one of the password that I knew the cleartext of (my test account). It was using Base64 reversed. I also noticed that many of the passwords were =Qmcvd3czFGc which decoded to password (after reversing it).
Now the accidental bit.
My friend Bob got to hear of this and decided to Google the reverse Base64 string "=Qmcvd3czFGc". He got a few hits, but the first result was real interesting.
It seems his fist hit returned email addresses, login names, weird strings that might be base64 reverse encoded passwords (he'll look into that later I imagine).
Then Bob put his Google Fu to work. Seeing that the site had some interesting details available to just about anyone he wondered just how much Google had indexed.
site:yimwhan.com filetype:txt intext:password
Oh dear...within seconds Bob found a password. Surely it was old and probably not active anymore?
Well we all know Bob, his curiosity gets the better of him.
Bob just couldn't help himself could he!
I think this clearly demonstrates that anything you send can and probably will be picked up by Google and someone like Bob might just stumble across it at some time in the future. It might be an idea to think before you post!
Now the accidental bit.
My friend Bob got to hear of this and decided to Google the reverse Base64 string "=Qmcvd3czFGc". He got a few hits, but the first result was real interesting.
It seems his fist hit returned email addresses, login names, weird strings that might be base64 reverse encoded passwords (he'll look into that later I imagine).
Then Bob put his Google Fu to work. Seeing that the site had some interesting details available to just about anyone he wondered just how much Google had indexed.
site:yimwhan.com filetype:txt intext:password
Oh dear...within seconds Bob found a password. Surely it was old and probably not active anymore?
Well we all know Bob, his curiosity gets the better of him.
Bob just couldn't help himself could he!
I think this clearly demonstrates that anything you send can and probably will be picked up by Google and someone like Bob might just stumble across it at some time in the future. It might be an idea to think before you post!
Subscribe to:
Posts (Atom)
