Monday, November 24, 2008

Why blogger doesn't trust Gmail

I always wondered about this. Blogger simply doesn't accept Gmail accounts as the blog owner's account. Now remember, Google owns Blogger, and it owns Gmail. So what gives?

Security. Specifically, lousy security:

A Gmail exploit which might be abused to allow domain hijacking has reared its ugly head once more.

The reported vulnerability revolves around the potential ability for hackers to create a malicious filter without needing to obtain the login credentials for a Gmail account. A flaw of this type hit web designer David Airey back in December 2007. Security watchers thought that Google had a handle on the problem, but now it seems that this confidence might have been misplaced.

Lots more geeky security stuff at The Reg, about Cross Site Request Forgery and cool stuff like this.

What's interesting is that this underlines (and boldfaces) the problems with web security. Even Google can't get it quite right. Consider:
They clearly have the capability. After all, Google has buildings full of wicked smart web secelopers and security types. Their market cap is something like a Billion Jagillion dollars.

They clearly have the motivation. Google Apps is trying to move all sorts of folks away from Microsoft Office. If they mess up the security, then their all-your-data-are-belong-to-us strategy gets harder.
So what do you do? Don't use Gmail for anything important (other than emailing to borepatch at gmail dot com, of course!). Especially don't use it for something important like PayPal or Online Banking. Keep your important data somewhere else (remember to back it up).

Just don't keep it on your cell phone.

UPDATE 25 November 2008 19:50: Google security folks deny that this is a vulnerability. Doesn't explain why you can't use a Gmail account to start a blog.

No comments: