Bug in Google Reader Found

May 7th, 2008 at 12:00 am
 


bug reading

Google silently released the other day a feature in Google Reader that allowed users to add notes.  Though the new feature did make the reader more social, it also made blogger interaction easier wherein anybody can scribble down a note on a certain post and instantly shareit with their friends.

However, Google may have taken it too far and gave users too much room to move around.  A bug was detected in the new service which allowed users to edit HTML codes in the notes feature.  This ability can lead to a massive attack from some mischeivous hacker.

The bug was blogged by Ryan S. of Duff’s Device:

"The (current) top item in my Shared Items feed shows that you can alter the text of any article, I couldn’t find the permalink in my Shared Items Feed. This could lead to misleading people by changing the content, or even adding more content. It could end up with me not being able to trust content from shared items anymore. The article appears in my shared items feed with the article changed with the text I included. Note that you can alter full html markup of the article, potentially leading to other sorts of attacks. Hopefully Google changes this back soon, I’m content with them continuing to post the full article in my Shared Items feed."

The fact that users can deliberately change the content of a post that isn’t theirs is already a security vulnerability.  Furthermore, the ability to share that editted information makes the vulnrability into a crisis.  I’m sure Google will do something about this soon.