Ronald had a really good post about how Google’s files were open to the world. A few people messaged me and said they were surprised I didn’t jump on it the second it was mentioned. Yah, I know, I probably should have, but get this, I actually felt sorry for Google. I know, call me a big softy. And it’s not because I’m working for Google, so don’t get your panties in a bunch here.
But no, think about the vast surface area that Google has to protect. It’s incredible when you think about it. Missing a single file permission can really ruin your day when you are a multi-national corporation. Okay, enough coddling Google, let me go back to my hard-line stance. Google has a responsibility to be better about this than most people. Why? Because they have more market share. They cannot mess up. They don’t have the right to.
If some tiny mom and pop web-store has this issue it’s bad. If Google has it, it could affect hundreds of millions of people. Sorry, that’s just not allowed. This was a security 101 mistake, and it’s unknown what sort of damage it could have caused. The fact that this has not already shown up on Google’s new security blog is testament to how impotent it probably will end up being. It’s tough to talk about your own problems when you’re the best and the brightest. That’s a big pill to swallow.
Incidentally, I mentioned on the NWC blog how I think the original person who discovered the vuln might have found it:
Basically, the page is the first google search result for: google remove url
Oops. So in the irony of all ironies, google was possibly nailed by a google search.