Web

Google Talk Authorization Flaw – Which was NOT

Last year around November, when i mailed Google security team regarding this issue, they rejected the idea. However while working on a side project of mine, i realized Google has fixed this one now.

Problem

Consider a scenario when user1 (google apps user) sends a google talk invite to user2 (non-google apps user). What happens next?

Well user2 gets an email notification that user1 has invited him to use Google Talk.

Google-Talk-Invite

Now comes the tricky part. The URL is a direct url which authorizes anyone to be on user1’s google talk list.

user2 can use the URL and signed on with any account can add user1 under any pseudonym. I was even okay till here, the problem is people having 500-600 friends on google talk list dont get a notification of a new addition. While he keeps waiting for a particular email id to appear on his chat list, the user2 can keep on snooping his status with different email id.

Google’s Reply

Google Security Team <[email protected]>
to: me

Hi Vineet,

Thank you for your note.

Since Google has no way to verify that an account from a third party
domain belongs to an specific user, Google relies on the URL as the
secret.

If the user shares the URL it has already disclosed the secret for that
verification and any other user can take advantage of it.

Let me know if you have any other further question. I will gladly try to
answer it

Regards,

Fermin, The Google Team

Fix?

I bet they soon realized their mistake. This is what Google has done. Simple and effective. Instead of adding the new user to user1 google chat list, Now it just adds the email address to contact list.

Google-Talk-Confirmation

Tagged , , , ,