Google closes App Engine hole

By

Revokes HTTP functionality to avoid data theft.

Google has closed a feature in Apps Engine that allowed traffic to be served unencrypted – a function which a security researcher used to highjack accounts.

Google closes App Engine hole

App Engine provides server and storage infrastructure, SQL database and software tools to organisations including real estate group Ray White, “Angry Birds” game developer Rovio and e-commerce site Shoes of Prey.

It previously allowed developers to deploy their applications over HTTP if they could not connect via HTTPS.

But it revoked HTTP functionality late last week, after a flaw was revealed by Iowa State University researcher Matthew Sullivan at the Derbycon conference.

Sullivan used his Cookie Cadger tool to steal cookies used during a friend's Google App Engine session, run over the conference's open wireless network.

He used the stolen data to access the account console and modify App Engine data.

“If someone is in admin, you can view the sourcecode, view and edit the datastore. If you use two factor [authentication], it is not going to save you,” he told the conference.

Google said the change did not affect App Engine applications’ traffic, which developers could configure to serve only over HTTPS and added usage of the insecure feature was low.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident

Log In

  |  Forgot your password?