Thursday, February 12, 2009




Online Job 1 Earn Rs.2000 daily. No Investment. Wanted ,Job is only through Internet. Work part time. You can earn Rs.750-2000/- daily. These are genuine Internet jobs. No Investment required. Only serious enquires more detail contacthttp://education2007.kavitha.



I’ve now received confirmation from Google’s Security Team that the latest vulnerability Philipp posted about has been fixed. After carrying out some investigations of my own, I believe this is the case – so I’m going to share with you what the problem was and how I was able to exploit it. In doing so, I hope to educate other developers about the potential flaws that can occur in growingly complex web applications.
In summary, I was able to create a page that was hosted on a domain, which is something that should never be allowed to happen. Because of this vulnerability, I was then able to use a simple bit of code to steal someone else’s Google cookie and access their Google services.

Earlier this month, Google announced that Blogger Custom Domains would allow you to host your own blog on the Blogger platform using your own domain name rather than a address.
Here’s how it should work:
Buy your domain name – e.g.
Create a CNAME record that points your domain or subdomain to – e.g. (see these Blogger Help and Google Help entries for more information on DNS settings and creating CNAMEs)
Setup your blog using a address (if you’ve not already got one) – e.g.
Enter your domain name in Blogger’s Custom Domain publishing settings – e.g.
Any requests to would be redirected to where your blog is now being hosted by Blogger
Soon after this feature was announced, I realized that you could enter any domain name in Blogger’s Custom Domain publishing settings regardless of whether you owned the domain or had setup a CNAME to point to Since Blogger claims that “you don’t have to pay extra for hosting service” and Google promotes private registration (meaning your details are withheld from a WHOIS lookup) there’s no reliable way to verify whether the Blogger user actually owns the domain they’re entering.
Under normal circumstances, this isn’t a problem; entering a domain that doesn’t have its CNAME setup to point it to would simply result in any requests to the address being redirected to the domain. And this is actually useful for anyone with a address who wants to move their blog away from Blogger’s servers by using either FTP-publishing or another blog service altogether. (For example, now redirects to which is hosted on my own server.)
This could only cause problems if you were to enter a domain name that already had a CNAME pointing to (or another address that’s pointing to the same place). But what are the chances of being able to find a domain that’s already setup like that? Well... it was easier than you might think.
Proof of Concept Implementation
In the Google Blogoscoped Forum, Art-One had reported that he’d seen a Japanese blog being hosted at (which is the same domain used by Custom Domains in Google Apps for Your Domain).
Whether this was done intentionally or completely by accident, someone had entered as their Blogger Custom Domain. Since no blog was setup at this address, Blogger had allowed them to host their blog there. And that’s when the alarm bells started to ring. This would allow me to host my own content on the domain too...
Since I keep a close eye on Google subdomains, I knew that wasn’t the only domain that pointed to that location and I immediately claimed ghs.l.

.com as my custom domain. (Google quite often has *.

.com subdomains setup as CNAMEs for their * equivalents.)
As any web developer will know, a page hosted at an address like is perfectly capable of reading and writing cookies, which meant that when Philipp visited my “proof of concept” page hosted on the domain, I was able to “borrow” his cookie data. This can be easily achieved using some simple JavaScript that would read the cookie and place the data into a hidden form field element. The form could then be automatically submitted to another server which would be hosting a server-side script capable of logging the form data to a database, text file or send it in an email.
Once the cookie data had been received, there are a number of methods which could be used to write data to a cookie – meaning the hacker would be able to have the same cookie data as you, giving them access to your

Account and services.*
Problem Fixed
The Google Security Team was informed of the issue before I’d even written my proof of concept script to test on Philipp. Around three and a half hours later, Google had deleted my test page and were redirecting both ghs.

.com and to Blogger’s standard “blog not found” page. (They’re now redirecting both addresses to the home page.)
Later that evening, I received this response:
Thank you for reporting this issue to us. We take the security of our users and their information very seriously. We wanted to let you know that we addressed this problem with expediency and have taken steps to ensure it cannot occur again.
It seems that Google followed my advice and fixed the problem by disallowing any Google domains to be entered as a Blogger Custom Domain. Trying to enter a Google domain in this field will return an error stating, “Another blog is already hosted at this address.” (Theoretically, this is overkill because the domain would also need to be pointing at – but it’s always better to be safe than sorry!)
Avoiding Vulnerabilities
There are a number of ways to make sure you – as a user – don’t get caught by a security loophole like this. Some people would say you should only visit pages you trust – but who doesn’t trust a page on the domain? Others might say the answer is to disable JavaScript in your browser – but then you wouldn’t be able to use websites and applications that rely on JavaScript being enabled. You could also turn off or clear your cookies – but that could prevent many services that require a login from working. In this case, my proof of concept script would have failed if the user had either signed out of their Google Account, cleared their cookies or disabled JavaScript before visiting my page. But would you be prepared to do that before visiting any website you didn’t know was 100% safe? Of course, I could have just put up an official-looking page that was hosted on a Google domain showing a Google Account login box asking for a username and password – and who wouldn’t enter their Google Account details if they thought they were going to be one of the first to get a peek at a new Google service?
How can companies like Google prevent this from happening when developing new applications or features? I guess the most important rule is to make sure nobody can host or inject content (and particularly scripts) on your primary domain or a subdomain of your primary domain. This isn’t the first time that Google allowed this to happen. Just a few months ago, a user realized the Google Public Service Search could be exploited in a similar way, demonstrated with his Gmail Plus phishing page. This time it was a very special case though. Who would have thought that someone would find a domain pointing to the right place and enter it as their custom domain? Some simple input validation would have allowed them to reject any requests for domains to be used. But perhaps a more secure approach would have been to use a completely different domain in the first place – something like, or – all of which Google already own. It’s too late to change that now though, as thousands of users will already have pointed their domain to the address.

Online Job 1 Earn Rs.2000 daily. No Investment. Wanted ,Job is only through Internet. Work part time. You can earn Rs.750-2000/- daily. These are genuine Internet jobs. No Investment required. Only serious enquires more detail contact


Earn Rs.10,000+ Per Month working just 1-2 hrs/day. We Offer Simple Typing Jobs best suited for students, Part time workers, house wives, retired persons. Your earning Potential is absolutely unlimited. Payment guaranteed. For more
Another way to prevent this from ever happening again would be to change how the same cookie is used to identify a user and give them access to many services. It seems odd that I could access Philipp’s Google Account at the same time as him from a completely different location, via a different IP address, using a different web browser with exactly the same cookie data. Admittedly, Google’s cookie is probably more secure than most – and I could no longer access his account when Philipp changed his password.

adposting job
Finally, I think it’s worth pointing out that only a small number of people would have been able to exploit this security vulnerability because there are only a limited number of domains which would have met the requirements – and once a domain is “claimed” it is unavailable for others use. work at home job, the Japanese blog didn’t contain any malicious script and my proof of concept page was only online for a few hours at an obscure address that was only visited by myself and Philipp. But if you have reason to believe that your account has been accessed without your permission,google adsense the best advice is probably to change all your passwords as soon as possible.
* Services that were accessible using this technique included: Google Alerts, Google Analytics, Google Base, Google Bookmarks, Google Code, online dataentry Co-op, Google Docs and Spreadsheets, Google Finance, Froogle Shopping List, Google Image Labeler, Google in Your Language, Google Groups, Local Business Center, Google Maps (Saved Locations), Google Notebook, Personalized Homepage, Personalized Search (Search Historysurvey job, Google Reader, 3D Warehouse (SketchUp), Google Video and Google Webmaster Tools.


Online Job 1 Earn Rs.2000 daily. No Investment. Wanted ,Job is only through Internet. Work part time. You can earn Rs.750-2000/- daily. These are genuine Internet jobs. No Investment required. Only serious enquires more detail contact

Google Details Health Records System
February 29, 2008 by Geoff Duncan
Google CEO Eric Schmidt has offered a first glance at Google Health, the Internet giant's initiative to make health records portable...and in patients' control.
At a closing keynote at the Healthcare Information and Management Systems Society HIMMS) conference in Orlando, Florida, Google CEO Eric Schmidt gave the first public preview of Google Health , and outlined how Google envisions the system making patients' medical records and health information easily portable between doctors, hospitals, pharmacies, andother health care providers, at the same time preserving patients' privacy and enabling them to have complete control over their medical information. He also said Google Health won't offer up ads; instead, wants to make money on the service by using it to drive traffic to its existing search offerings.
Google Health is not yet available publicly, and likely won't be widely available for a few months Google announced last week it is conducting a trial with the Cleveland Clinic to test the system. Schmidt also announced Google has signed deals with a number of hospitals and health care companies to support the service, including Quest Diagnostics, health insurance provider Aetna, Walgreens, and (significantly) Wal-Mart pharmacies.
Schmidt emphasized that the system will not share data without a user's consent, and users would access the system with a username and password from any Internet-enabled computer. Google has also summarized the main features of Google Health in its official blog.
Google faces competition in the health records arena from Microsoft's HealthVault initiative, announced last October, along with Revolution Health, a similar service backed by AOL founder Steve Case.
Industry watchers have flagged all these online health records systems as having serious privacy concerns: in addition to potentially serious ramifications if the system were to be breached or grant unauthorized access to health information, information stored in such systems would not be protected by the 1996 HIPAA act, requires patents receive notification if their records are subpoenaed, along with other protections. Exclusion from provisions of the HIPAA act means, potentially, information stored in online health records systems could legally be used for marketing and other purposes without users' knowledge or consent.

Get all your news and blogs in one place with Google Reader
With Google Reader, keeping up with your favorite websites is as easy as checking your email.

utmx_section("Bullet Text")

· Stay up to date Google Reader constantly checks your favorite news sites and blogs for new content.
· Share with your friends Use Google Reader's built-in public page to easily share interesting items with your friends and family.
· Use it anywhere, for free Google Reader is totally free and works in most modern browsers, without any software to install.

Find local businesses, view maps and get driving directions in Google


Aggregated headlines and a search engine of many of the world's news sources.


The philanthropic arm of the company. Lists its activities


Searchable archive of more than 700 million Usenet postings from a period of more than 20 years


Want to help improve Google Image Search? Try Google Image Labeler. Advertising Programs - Business Solutions - About Google. ©2009 Google.

google analytics
google uk
google desktop
google docs
google adsense
google suggest
google adwords
google apps

Google offered in: Fran├žais · Advertising Programs - Business Solutions - About Google - Go to ©2009 - - 8k - Cached - Similar pages
Google - Wikipedia, the free encyclopedia
Google Inc. is an American public corporation, earning revenue from advertising related to its Internet search, e-mail, online mapping, office productivity, - 255k - Cached - Similar pages
Official Google Blog
6 Feb 2009 ... Official weblog, with news of new products, events and glimpses of life inside - 105k - Cached - Similar pages
Google Earth education2007.kavitha - AD POSTING JOBS
Offers maps and satellite images for complex or pinpointed regional - 8k - Cached - Similar pages
Offers the choice of searching the whole web or web pages from education2007.kavitha - FORM FILLING JOBSAustralia. Also advanced search, image and groups search, news and directory from the Open - 8k - Cached - Similar pages
Google Language Toolsadposting job
Translation of text and web pages between English and several European - 60k - Cached - work at home job pagesMore results from »
Google Toolbar google adsense
Internet Explorer and Firefox Toolbar with Google search. Additional options include a pop-up blocker and - 10k - Cached - Similar pages
Google Code
Early registration is officially open for Google's largest developer event of the year, Google I/O, being held on May 27th and 28th, 2009 at Moscone Center - 8k - Cached - Similar pages
Google Adwords
PPC program where webmasters can create their own ads and choose - 31k - Cached - Similar pages

Online Job 1 Earn Rs.2000 daily. No Investment. Wanted ,Job is only through Internet. Work part time. You can earn Rs.750-2000/- daily. These are genuine Internet jobs. No Investment required. Only serious enquires more detail contact


Anonymous said...

Indian Free Classifieds :

I like to visit your blog and it is have interesting writings about business opportunity and you can also visit website for indian free classifieds to get more ideas about online business from home and you can find more home based business opportunity to work at home in your part time at jobs online.

Indian Free Classifieds

Shipping Directory

Part Time Jobs

bhim said...

Interesting… I might try some of this on my blog, too. It’s quite interesting how you sometimes stop being innovative and just go for an accepted solution without actually trying to improve it… you make a couple of good points.
internet work parttime

Ridwan said...

There's a movement to radically change California government, by getting rid of career politicians and chopping their salaries in half. A group known as Citizens for California Reform wants to make the California legislature a part time time job, just like it was until 1966.

jessie said...
This comment has been removed by the author.
jessie said...
This comment has been removed by the author.