I just logged into Neowin and notice that I had logged in as several neowin users. Every time I refreshed the page, the username changed, and I could access any portion of the site.
I was able to access their control panels and possibly even post (I did so to make sure that this was a security issue.)
It is still happening and I apologize if that has already been posted.
Edit:
This is a major Google Web Accelerator security issue:
http://news.zdnet.co.uk/internet/security/...39197327,00.htm
"I went to the Futuremark forums and noticed that I'm logged in as someone I don't know. Great, I've used Google's Web Accelerator for a couple of hours, visited lots of sites where I'm logged in. Now I wonder how many people used my cache. I understand it's a beta, sure, but something like that is totally unacceptable."
Edit 2:
Someone please modify the title of this thread. At the time of its posting, I hadn't realized it was a Google issue.
(MOD EDIT: changed the title now, hope that helps... DB)
Full Version: Major Google Web Accelerator Security Issue
wtf you must be special.
lol, 
oh, i checked vice kings recent posts and the last one was earlier today
oh, i checked vice kings recent posts and the last one was earlier today
Odd. Maybe you somehow got their session ids?
What's extremely odd is that it's still hapenning. I did not post, I only checked their control panels to make sure I wasn't imagining this.
Their skins and settings are all present. It's extremely odd.
Their skins and settings are all present. It's extremely odd.
You logged in with your credentials, right?
Very odd
Very odd
I just realized: Could it be because of Google's Web Accelerator?
This is a major issue, it seems:
http://news.zdnet.co.uk/internet/security/...39197327,00.htm
http://news.zdnet.co.uk/internet/security/...39197327,00.htm
Wow it shares your cookies? I can't believe that idea got off the ground.
It should have been more like Red Swoosh or something where just pictures and pages we're cached, caching cookies and sharing them is insane.
It should have been more like Red Swoosh or something where just pictures and pages we're cached, caching cookies and sharing them is insane.
WOW 
QUOTE(tajddin @ May 6 2005, 01:25)
I just realized: Could it be because of Google's Web Accelerator?
It is because of it. I'd highly recommend people stay away from this tool. I love Google but I don't like this tool at all, it's useless really and don't like what they are doing with it.
QUOTE(tajddin @ May 6 2005, 01:31)
Here's SlashDot's discussion, http://slashdot.org/article.pl?sid=05/05/0...&tid=217&tid=95 and also SomethingAwful, which I do not visit but got passed the link also has an article on Google's Web Accelerator that's a pretty good read, believe the links though are banned here on the forum though. So look for yourself if you want to read it.
Oh **** o.o... Thats a pretty big issue!
Umm... Admins? Mods?! Someone?
Umm... Admins? Mods?! Someone?
wow. thanks for lettign me know. i dont want anyone to use my cookies.
Wow, who needs spyware when you can just have Google's Web Accelerator?
What could a mod do though? If it truly shares your cookies, the only way to combat it would be to disable cookies and make you sign in at all times.
The issue isn't with Neowin, cookies were designed to store your info for a site on your computer, if your cookie gets shared it's not the sites fault. You need to complain to google, not neowin.
The issue isn't with Neowin, cookies were designed to store your info for a site on your computer, if your cookie gets shared it's not the sites fault. You need to complain to google, not neowin.
temporary cookie cacheing.... that does not sound good at all. 
maybe the 'google conspiracy' is real? Or do they just have poor programers and QA?
maybe the 'google conspiracy' is real? Or do they just have poor programers and QA?
QUOTE(mAcOdIn @ May 5 2005, 22:43)
What could a mod do though? If it truly shares your cookies, the only way to combat it would be to disable cookies and make you sign in at all times.
The issue isn't with Neowin, cookies were designed to store your info for a site on your computer, if your cookie gets shared it's not the sites fault. You need to complain to google, not neowin.
[right][snapback]585880087[/snapback][/right]
The issue isn't with Neowin, cookies were designed to store your info for a site on your computer, if your cookie gets shared it's not the sites fault. You need to complain to google, not neowin.
[right][snapback]585880087[/snapback][/right]
I think you need to understand that at the time of the first posting, I did not know it was Google!
This should be posted on the front page.
QUOTE(virtorio @ May 6 2005, 02:42)
Wow, who needs spyware when you can just have Google's Web Accelerator?
[right][snapback]585880083[/snapback][/right]
[right][snapback]585880083[/snapback][/right]
yeah, more like... "hacking and identity theft made easy"
QUOTE(tajddin @ May 6 2005, 00:44)
I think you need to understand that at the time of the first posting, I did not know it was Google!
This should be posted on the front page.
[right][snapback]585880093[/snapback][/right]
This should be posted on the front page.
[right][snapback]585880093[/snapback][/right]
I meant that for the guy who posted right before me.
QUOTE(tajddin @ May 6 2005, 02:44)
I think you need to understand that at the time of the first posting, I did not know it was Google!
This should be posted on the front page.
[right][snapback]585880093[/snapback][/right]
This should be posted on the front page.
[right][snapback]585880093[/snapback][/right]
Agree
this is a HUGE issue.
this info should also be passed on to other forums as an attempt to avoid this stuff from happening.
the t ittle of this thread (and it's location) needs to be changed.
modz??
modz??
Now that shouts for front page news... Haven't tried the Web Accel myself...
Considering how big the issue really is, I have a hard time seeing how it was ever greenlighted at all.
The interaction between a cookie and web page has been a relative standard for the internet for years, heck I think the idea's over 10 years old, and to make a tool that basically throws that out of the window was downright irresponsible of google.
I know it's beta, I know it's not for the mainstream and is basically damn near hidden on thier site but, crap, what was going through thier heads?
The person who came up with this idea should never be allowed to work on any network related program ever again, this is the worst judgement I've ever seen a company make on the internet.
The interaction between a cookie and web page has been a relative standard for the internet for years, heck I think the idea's over 10 years old, and to make a tool that basically throws that out of the window was downright irresponsible of google.
I know it's beta, I know it's not for the mainstream and is basically damn near hidden on thier site but, crap, what was going through thier heads?
The person who came up with this idea should never be allowed to work on any network related program ever again, this is the worst judgement I've ever seen a company make on the internet.
QUOTE(mAcOdIn @ May 5 2005, 23:17)
Considering how big the issue really is, I have a hard time seeing how it was ever greenlighted at all.
The interaction between a cookie and web page has been a relative standard for the internet for years, heck I think the idea's over 10 years old, and to make a tool that basically throws that out of the window was downright irresponsible of google.
I know it's beta, I know it's not for the mainstream and is basically damn near hidden on thier site but, crap, what was going through thier heads?
The person who came up with this idea should never be allowed to work on any network related program ever again, this is the worst judgement I've ever seen a company make on the internet.
[right][snapback]585880169[/snapback][/right]
The interaction between a cookie and web page has been a relative standard for the internet for years, heck I think the idea's over 10 years old, and to make a tool that basically throws that out of the window was downright irresponsible of google.
I know it's beta, I know it's not for the mainstream and is basically damn near hidden on thier site but, crap, what was going through thier heads?
The person who came up with this idea should never be allowed to work on any network related program ever again, this is the worst judgement I've ever seen a company make on the internet.
[right][snapback]585880169[/snapback][/right]
Very well said. As a software developer myself, I cannot comprehend how such a major issue would afflict a public beta. It's completely unacceptable.
HOLY COW! I am so glad I never used it.
That is seriously bad, though the post should be deleted to we dont get people deliberately using it to get into accounts!
QUOTE(TimRogers @ May 6 2005, 07:28)
That is seriously bad, though the post should be deleted to we dont get people deliberately using it to get into accounts!
[right][snapback]585880190[/snapback][/right]
[right][snapback]585880190[/snapback][/right]
err why? we need people to be made aware of the problem!
Remove the google accelerator and change all login passwords for accounts you where logged into when using the google accelerator, this should in theory stop anyone using the old cookie to gain access to any of your accounts.
Another thread is already open on this topic:
http://www.neowin.net/forum/index.php?act=ST&f=8&t=317129
http://www.neowin.net/forum/index.php?act=ST&f=8&t=317129
Thanks for the warning. I've just changed my passwords and deleted the accelerator.
Google can lick my hairy ass on this one. That's a major flaw and to not notice it, well I have to question their developers.
Google can lick my hairy ass on this one. That's a major flaw and to not notice it, well I have to question their developers.
I guess google's plan of world dominance is leaking out..
Google Web Accelerator BETA
Beta doesn't matter, because this is the intended result.
There's not a bug in the software there's a bug in the concept.
There's not a bug in the software there's a bug in the concept.
i've turned mine off now, I see it as a bug 
I was going to try it tonight, glad I came here first.
QUOTE(insurektion @ May 6 2005, 00:18)
wtf you must be special.
[right][snapback]585880028[/snapback][/right]
[right][snapback]585880028[/snapback][/right]
he is the "one".
thats a pretty big security issue.
I'm glad I never used Neowin or any other forum during the 15 minutes I used it for.
Somebody was smoking abit to much of the wrong thing when making this
Its just a beta so its still in testing wait for the final.
-DannyGlass
-DannyGlass
Perhaps the admins should temporarily disable cookies on the board, to prevent people's identities from being stolen? I'm sure many users would understand if the reason were posted on the front page.
QUOTE(Relativity_17 @ May 6 2005, 09:44)
Perhaps the admins should temporarily disable cookies on the board, to prevent people's identities from being stolen? I'm sure many users would understand if the reason were posted on the front page.
[right][snapback]585880327[/snapback][/right]
[right][snapback]585880327[/snapback][/right]
It's not Neowin's issue. It's Google's. If anything encourage people to NOT use the Google Web Accelerator but don't disable cookies
DON'T DISABLE COOKIES!!!11!!1KKEEJEJEONENENOE
IMO the harshest yet most reasonable option open to Neowin would be to disable cookies only from the IP ranges of google, but I don't know if they have that much control over the board. But at least that way it would only affect users of Google Web Accelerator and not affect the rest of the members.
However one has to ask, is it Neowin's responsibility to protect the user from itself?
However one has to ask, is it Neowin's responsibility to protect the user from itself?
Wow, now that's a beta issue if I've ever heard of one!
Well, this is definitely a slip in their QA procedures.
Their programmers are generally good though. Look at google.com, Gmail, Google Maps, and so on.
I'm not sure of what "conspiracy" you're talking about, when it has to do with users logging into forums with another guy's account?
QUOTE
maybe the 'google conspiracy' is real? Or do they just have poor programers and QA?
Well, this is definitely a slip in their QA procedures.
Their programmers are generally good though. Look at google.com, Gmail, Google Maps, and so on.
I'm not sure of what "conspiracy" you're talking about, when it has to do with users logging into forums with another guy's account?
sorry dude but if true then is one big problem 
QUOTE(morficus @ May 6 2005, 01:43)
temporary cookie cacheing.... that does not sound good at all.
maybe the 'google conspiracy' is real? Or do they just have poor programers and QA?
[right][snapback]585880088[/snapback][/right]
maybe the 'google conspiracy' is real? Or do they just have poor programers and QA?
[right][snapback]585880088[/snapback][/right]
Both are true. The Google conspiracy and poor programmers. Any toolbar though is a joke. Useless crap!! Seen this coming!!
QUOTE(virtorio @ May 6 2005, 00:42)
Wow, who needs spyware when you can just have Google's Web Accelerator?
[right][snapback]585880083[/snapback][/right]
[right][snapback]585880083[/snapback][/right]
maybe google is tryin to spread out it's own version of spyware?
yes!!!!! spyware for free from google!!!!
What???
Anybody can enter in a random user???
STUPID GOOGLE
Are we in Danger???
Anybody can enter in a random user???
STUPID GOOGLE
Are we in Danger???
QUOTE(nienor @ May 6 2005, 11:46)
Are we in Danger???
[right][snapback]585880561[/snapback][/right]
[right][snapback]585880561[/snapback][/right]
As I understand it, people using the accelerator can sometimes get logged in as other users using the accelerator.
Yes that is correct! Jug!
-DannyGlass
-DannyGlass
Dammm 
, I'm glad i don't use it
Hope google fix this ASAP
, I'm glad i don't use it Hope google fix this ASAP
wheres the proof? show me the proof someone screenshot a name other than their own
someone screenshot a name other than their own
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.