back to article FYI: World was warned FIVE years ago about flaw exploited in Google Docs phishing phrenzy

Google has known about the issue behind yesterday's wave of phishing attacks bearing links to Google Docs for at least five years. Sharp-eyed and long-of-memory security types have reminded world+dog of this 2011 post to an IETF mailing list by developer André DeMarre, who way back then speculated that client name application …

  1. Anonymous Coward
    Anonymous Coward

    Google?

    Lazy amateurs. And they make a fuss about exposing other people's bugs, ready or not, within 90 days? Good grief.

    1. Mark 85

      Re: Google?

      It's far easier to be a bully to others and shovel out crap than it is to be on the receiving end. So may they receive in abundance that which they have done to others.

  2. Potemkine Silver badge

    Woops

    May the one who never forget a ticket in the bug database cast the first stone

  3. Anonymous Coward
    Anonymous Coward

    "is that they often don't show enough information for technical users"

    It's worse, they don't show enough information but for the most incompetent user. Marketing teams are obsessed that any useful information will confuse and worry the "average user" (who they identify with utterly incompetent users, basing that on themselves), and thereby it must be hidden.

    Recently I've got a dialog from a mail client telling me that the certificate used by my mail server was "invalid or expired", asking me to trust it or not. Of course it didn't show *anything* about the certificate. Was it expired? Someone was playing MitM? How could I take a decision without any useful information?

    If OAuth lets anybody put a company name in the dialog without any kind of check or vetting, it's clear spoofing users is easy, and whoever designed it is clearly clueless. And then Google blames Symantec because it doesn't check and vet its certificates....

    1. DropBear
      Mushroom

      Re: "is that they often don't show enough information for technical users"

      Actually it's even worse than that - I consider myself a reasonably technical user, yet I'm pretty sure that I would fail at least half of the questions on a rigorous exam that would present me with any details I wish to examine while asking me to decide whether an internet-related request is genuine or malicious in some way. Sure, I'd get a bunch of them right, but also a bunch of them wrong, guaranteed. And if that's true, it begs the question what can be done at all, even if one were willing to present any and all information available, to enable users to make an informed decision...?

      I mean obviously it can't be as simple as "is that bit on the address bar green or red, present or missing, locked or unlocked?" - if it would be that simple, there would be no need TO ASK the user at all, the software would already know the correct answer! So if the software, with all its abilities to contact any third parties it wishes to try to validate whatever it can think of in a blink of an eye isn't able to decide the true validity of a request - seriously, what exactly is expected of me as a simple user?!?

      There is no way I can establish with certainty in 100% of cases whether some random unsolicited message is actually vitally important or fake, without actually taking a look! Yes, most things I receive are things I expect - but it's nowhere near 100%! There can always be smarter (or simply more original) messages than your run-of-the-mill "I'm the Nigerian finance minister" or "lt. Andrew Ferrara needing money" that I can't classify unless I view first, possibly including taking a look at anything attached! Why are devices asking me to make choices no additional information in the world will let me make correctly 100% of the time? "99% secure" is worthless - all they need is to get past me ONCE!

      I think there's a fundamental problem here much deeper than bugs and patches, exploits and security band-aids - as long as I'm not authorizing execution of code (and I should never have to do that unless I'm installing / launching a new piece of software), I should not need to worry about looking at anything coming my way - nor should I need to decide whether to accept or reject dubious stuff essentially equivalent to "I'm the pizza delivery guy, let me in!" sight unseen, based on "gut feeling" alone. Maybe I ordered no pizza, but maybe I did - or maybe one of my friends partying in the other room did! Maybe I've been sent a gift pizza! Maybe my neighbour ordered one and the delivery guy rang the wrong flat! We don't typically restrict our phones to accept only incoming calls from people in our contact list, do we?!? Yet accepting an unknown call isn't making me fear for my security! THAT'S the level of security that we should expect, nothing less!

      ...No, I don't purport to know the solution. But I do strongly believe calling the current state of affairs a "solution" in any sense of the word (let alone a workable one) is nothing short of a disgrace.

      1. John Brown (no body) Silver badge

        Re: "is that they often don't show enough information for technical users"

        "if it would be that simple, there would be no need TO ASK the user at all, the software would already know the correct answer! So if the software, with all its abilities to contact any third parties it wishes to try to validate whatever it can think of in a blink of an eye isn't able to decide the true validity of a request - seriously, what exactly is expected of me as a simple user?!?"

        The most likely answer is that you clicked OK, so if/when it ends up in court, the s/w publisher/author is not to blame because you clicked YES despite being warned of a risk. This might even work if it can be shown the dialogue box gave enough information to make an informed decision. But as has been stated, these dialogue boxes often contain almost (a=or actually) no useful information on which to base a decision. That defence might still be valid in the US for all I know, but as we see with so many things these days, other jurisdictions are often more proactive at protecting the consumer against unfair contracts.

  4. Gene Cash Silver badge

    "It's like if a web browser didn't show the address bar"

    Don't give Mozilla any more damned ideas...

    1. patrickstar

      Re: "It's like if a web browser didn't show the address bar"

      We're slowly but surely getting there, with browsers already not showing protocol and in some cases path info...

      1. Anonymous Coward
        Anonymous Coward

        Re: "It's like if a web browser didn't show the address bar"

        Re: "It's like if a web browser didn't show the address bar"

        You mean like Edge, where it's the same colour as the borders until you click in it and the cursor focus is in the search bar.

        1. Anonymous Coward
          Anonymous Coward

          Re: "It's like if a web browser didn't show the address bar"

          "You mean like Edge, where it's the same colour as the borders until you click in it and the cursor focus is in the search bar.#"

          Edge shows the address bar when on a site unless you choose to switch to full screen mode...

          1. Anonymous Coward
            Anonymous Coward

            Re: "It's like if a web browser didn't show the address bar"

            "Edge shows the address bar when on a site unless you choose to switch to full screen mode..."

            so Edge shows the address bar EXCEPT when it doesn't show it.

            got it !

  5. Anonymous Coward
    Anonymous Coward

    So, are they liable for the damages now?

    I presume Google's Terms may allow them to escape the consequences of the now proven non-action in the US, but AFAIK it's not possible to write legal obligations out of the script in other countries.

    I wonder if someone can spin this into a court case. They probably won't dare because Google can keep them in court until they're poor (and will most likely find enough dirt in their email to keep it out of court anyway) but I think a liability exists.

    But hey, using Google is like making things public anyway, just to a smaller audience (for now).

  6. Velv
    Terminator

    Remember

    If it's free, you're not the customer, you're the product being sold!

    And as the product being sold, so have no rights to damages or compensation if it all goes wrong.

    1. John Brown (no body) Silver badge

      Re: Remember

      "And as the product being sold, so have no rights to damages or compensation if it all goes wrong."

      That is not always true. A more physical example would be a local beauty spot by a river our family used to visit many times when I was young. The land owner allowed free access onto the land where not only was the river good for swimming, there was a "natural" swimming pool caused either by erosion or maybe a small amount of quarrying (I was young!). But one day, the laws changed, either by precedent or Act, and the land owner became responsible for the safety of the people using this freely provided facility. He tried charging for the parking in the field but since that wasn't enough to pay for liability insurance, he fenced it all off. Somewhere that was known as "the Lido" for many, many miles around is now all but forgotten about.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like