Google pulls insecure App Engine feature

By

Now serves only HTTPS.

Google has closed a feature in Apps Engine that allowed traffic to be served unencrypted – a function which a security researcher used to highjack accounts.

Google pulls insecure App Engine feature

The application deployment tool feature allowed developers to deploy their applications over HTTP if they could not connect via HTTPS.

SC reported the flaw last week after it was revealed during a talk by Iowa State University researcher Matthew Sullivan.

Sullivan used his Cookie Cadger tool to steal cookies used during a friend's Google App Engine session, run over the conference's open wireless network.

He used the stolen data to access the account console and modify App Engine data.

“If someone is in admin, you can view the sourcecode, view and edit the datastore. If you use two factor [authentication], it is not going to save you,” he told an audience at Derbycon.

Google quickly revoked HTTP functionality, forcing the application deployment tool to serve only over HTTPS.

It said the change did not affect App Engine applications’ traffic, which developers could configure to serve only over HTTPS and added usage of the insecure feature was low.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

WhatsApp banned on US House of Representatives devices

WhatsApp banned on US House of Representatives devices

Victoria's first government tech chief steps down

Victoria's first government tech chief steps down

Log In

  |  Forgot your password?