![Facebook goes down? [UPDATE - It's up!]](http://www.nofullstop.com/wp/wp-content/themes/thejournal/thumb.php?src=http://www.nofullstop.com/wp/wp-content/uploads/2010/12/facebook-death1.jpg&h=75&w=135&zc=1&q=90)
Warning: Google Video Could Be Used To Hack Your Password
Google Video could be used to learn the username and password of the users who post videos on there MySpace accounts. This is possible as Google uses http instead of https in the URL. A user posted this in digital points forum. This is what he posted:
When a friend sent me a link to this rather boring video http://video.google.co.uk/videoplay?…85184878490822 I immediately noticed the ‘Email – Blog – Post to Myspace’ link on the right side. As any curious person would do I decided to check it out to see how Google has integrated with MySpace.
So after clicking I was greeted with the following popup http://video.google.co.uk/blogpost?d…22&siteindex=3 and immediately noticed that the url of it was http, and not https. An insecure form… So I figured it must be posting the login details to a https url, so I pulled out live headers and this is what I got:
http://video.google.co.uk/blogpost
POST /blogpost HTTP/1.1
Host: video.google.co.uk
User-Agent: Mozilla/5.0 (Windows; U;
Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+
xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: http://video.google.co.uk/blogpost?d…22&siteindex=3
Content-Length: 42
Cookie: PREF=ID=26c938172fc51030:TM=1178041215:
LM=1138046118:S=Bw_pBCzx-opEyR3s; sloc=en_GB
Pragma: no-cache
Cache-Control: no-cache
req=login&name=myusername
&pass=mypassword&site=MySpace
In short this users find says that Google is passing private information which includes MySpace, LiveJournal, Blogger, and TypePad login details over insecure channels. And since Blogger accounts sometimes use Google Accounts for login, such a flaw could expose a user’s GMail, Google AdWords, Google AdSense, and maybe even Google Checkout information (unless this information is encrypted).
The private and sensitive information is being passed without SSL, which is a basic and common step in the Internet security process.
Related:
Warning: YouTube Could Be Used To Hack Your Computer
Google Desktop Vulnerable To Attack
Search Google Without Google Ads
Awesome Hidden Google Pages
i hope google notices the amount of risk involved~~~thansx mate very informative post