MAJOR SECURITY FLAW WITH GOOGLE SITEMAPS

David Naylor points out, as does this WebmasterWorld thread spotted via Threadwatch, a pretty surprising security oversight with Google’s new Sitemaps stats system that can allow anyone access to stats of other web sites, if those web sites don’t report 404/File Not Found errors correctly. Right now, I’m looking at stats for eBay and AOL, as well as Google’s own Orkut!

In order to see stats for a site, you have to verify you own it by installing a special file on your server. Google randomly generates a filename to use, you install this file, then Google checks to see if it exists. If it does, you can view stats for that site.

The problem is, some web sites will respond that any page exists, even if it doesn’t. Rather than sending out a 404 File Not Found error message, they’ll dynamically generate the page with content anyway or they’ll tell the user the file doesn’t exist, but the server code sent to a browser says differently.

For example, try this:

http://www.ebay.com/djkfjkdjfkjd

You’ll see that eBay responds that the page doesn’t exist. However, behind the scenes it redirects the request (sending a 301 server code) to another page that has a 200 Page Found code. As a result, along with Dave and Barry, I’m now looking at eBay’s stats, along with AOL’s stats.

How could we all three of us get access? Because both eBay and AOL will turn any request into a page found code — and remember, we were all given unique file URLs to enter. As far Google is concerned, we all have correctly installed these files.

Full Story