Iowa Student Gets Internship from Google for Reporting Security Flaw: More Proof Vendors Need Stronger Security Checking For Their Products
Last night while my sons and I were watching the news it was reported that in Davenport, Iowa a St. Ambrose University student, David Bloom, found a security flaw in early December when he was using the Google Docs and Spreadsheets program.
"...he discovered a way to run JavaScript code in the Web-based program. This vulnerability, referred to as cross-site scripting, or XSS, could allow a hacker to fool a user into divulging a password and other account information, which could result in malicious uses, such as sending spam or viruses from that user's account."
A pretty significant find!
He alerted Google on December 3 about the flaw. The co-creator of the flawed program, Sam Schillace, got back to Bloom the very next day and asked him if he wanted to do a summer internship with Google.
Bloom accepted and will be in Palo Alto, CA for his internship rom May 22 to August 14.
My 7-year-old Heath thought he should have gotten a big cash reward, "like, a thousand dollars." My 10-year-old Noah said, "Gee, if that problem would have messed up lots of computers with viruses, and caused a lot of identity thefts, it would have cost Google millions! He should get a lot more money along with a job." Noah has always preferred Ask.com to Google. :)
He has a good point. If the Google application flaw would have been maliciously exploited it could have cost Google millions to clean up the resulting mess. They are very lucky Bloom contacted them; Bloom discovered what the Google developers should have found and fixed before the application was put into production.
Of course, it is a good ethical practice to notify vendors of their security problems, and Bloom is to be commended. It is great to see a security conscientious college student. I think it is great Bloom is getting an internship as a result. This is certainly motivation for folks to report security problems. But I wonder, is this enough? Certainly having a significant security flaw such as this is worth quite a bit to Google to be notified about.
And what will Google do to strengthen their application testing procedures to ensure such a big security flaw does not again get placed into production?
This points out the need to incorporate information security and privacy checks into the entire SDLC process, as I've blogged about to many times before, such as here.
So many vendors either just shrug off the flaws reported to them, or try to make excuses for them. Perhaps other vendors will also start rewarding good samaritans for reporting security problems, as well as strengthening the incorporate of security checks throughout the SDLC process.
What do you software vendors think? What would you do if someone reported a significant security flaw in your product? And are your application testing procedures rigorous enough to catch this type of security flaw before your application is approved for production?
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
Then again, spending bucks on internal testers and security QA is far more significant than letting average joe's report vulnerabilities. :( One of the sad, unspoken truths. Make a product. If it gets popular, the users will provide some QA for you on the cheap. If it flops, at least you didn't spend the money. :(
Posted by: LonerVamp | May 6, 2007 5:11 PM
"They are very lucky Bloom contacted them" ...my thoughts exactly. Because the student decided to report the issue, Google can (sort of) use this as a positive story in the media... at least compared to what the damage could have been if a hacker was the one who came upon the security hole.
Whether Google awards Bloom money or not, I'm sure this finding will help him greatly with his job hunt and making a name in the security arena, but I agree that they should have done SOMETHING to commend his work.
Posted by: Mila | May 7, 2007 3:24 PM
Owneres of google needs a better security team, i myself as a programmer test my programs every single time i got something new added, to see if it works and to see if i can think of anything to exploit no security [security is limitations nothing more] on certain fields/selections/locations, and then if i find one i patch it up, once a ver gets out i do the same, i test it on diff machines with diff ppl, my security team consists of two ppl, me and my grandfather, he reports bugs faster then i can fix them....anyway, the money that could have been costed from google could have been high, however, the average user SHOULDNT input password/account name/etc into ANY field unless u are 100% sure its not theft, of course i realize most of the average people dont think this way
Posted by: Kalbintion | May 8, 2007 4:41 PM
Good points folks...
LonerVamp, I agree about how the vendors have historically depended upon their customers to do the QA for them for free. However, as the trend grows for penalizing and fining software vendors for not making their products secure...and as more individuals are victims of cybercrime as a result...they will learn that it is much cheaper to build in security from the start.
Mila, good point; definitely great PR spin for Google...they certainly tried to make lemonade out of their lemons, didn't they? :)
Kalbintion, I commend you and your grandfather for your good programming practices! Yes, all programmers should know how to build security into their software.
Posted by: Rebecca | May 11, 2007 10:05 AM
I thank you rebecca and id like to state; im hoping to get a job where my grandfather works as a tech. hope it goes well. [I believe ill be hired or something will happen with me due to ive made two programs for the district already, for free...and they all kno what i can do down there so that helps too]
Posted by: Kalbintion | July 26, 2007 8:38 PM
Thank you for the follow-up Kalbintion.
That would be great if you were able to work with your grandfather. Yes, it sounds like you have a good foot in the door. Good luck to you!
Posted by: Rebecca | July 31, 2007 9:15 AM