Google Fixes Major Weakness in Google Apps

Amongst all the furore surrounding Chrome, Google this week also patched a serious vulnerability with the Single Sign On support for Google Apps.

Something that might have gone unnoticed from Google this week is the patching of a serious vulnerability that previously allowed an attacker to exploit a weakness in Google's Single Sign-On service used with Google Apps to take over a victim's Google account.

While the specific information about the vulnerability was not published until Google had patched the issue, it chains together simple concepts, so it is considered likely that it has already been discovered and used by others.

Single Sign On services, whether it is aborted ideas like Microsoft's PassPort, the current Open-ID, or any number of desktop-based integration tools, all have the same basic weakness. Because they are designed to allow access to varied authenticated resources through the use of a common authentication token of some form, then a compromise of the token allows for access to a much broader set of services and assets than the attacker would have had without the Single Sign On system.

Ultimately, use of Single Sign On technologies can be described as a pure security / usability trade-off. In order to gain the usability of not having to remember / provide unique authentication for a series of services, the security of having properly compartmentalised access to each service is forgone.

Join the newsletter!

Error: Please check your email address.

Tags Google Apps

Show Comments
[]