We’ve seen some speculation recently about a purported security vulnerability in Gmail and the theft of several website owners’ domains by unauthorized third parties. At Google we’re committed to providing secure products, and we mounted an immediate investigation. Our results indicate no evidence of a Gmail vulnerability.
With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as “google-hosts.com” that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we’ve seen are now offline. Once attackers gained the user credentials, they were free to modify the affected accounts as they desired. In this case, the attacker set up mail filters specifically designed to forward messages from web domain providers.
Several news stories referenced a domain theft from December 2007 that was incorrectly linked to a Gmail CSRF vulnerability. We did have a Gmail CSRF bug reported to us in September 2007 that we fixed worldwide within 24 hours of private disclosure of the bug details. Neither this bug nor any other Gmail bug was involved in the December 2007 domain theft.
We recognize how many people depend on Gmail, and we strive to make it as secure as possible. At this time, we’d like to thank the wider security community for working with us to achieve this goal. We’re always looking at new ways to enhance Gmail security. For example, we recently gave users the option to always run their entire session using https.
To keep your Google account secure online, we recommend you only ever enter your Gmail sign-in credentials to web addresses starting with https://www.google.com/accounts, and never click-through any warnings your browser may raise about certificates. For more information on how to stay safe from phishing attacks, see our blog post here.
I’m excited to announce an easy migration option from JotSpot wikis to Google Sites. Users new to Google Sites can look forward to better performance and improved ease of use. Sites is tightly integrated with products like Google Docs, has much better wysiwyg editing tools, and is available in 38 languages. JotSpot customers should have received an email last week about this migration, and can read more about it here:
The migration is an opt-in process which is initiated by the JotSpot wiki administrator. Wiki owners not wishing to migrate to Sites can export their data for import into another system. The JotSpot data center will be shut down on January 15th, 2009.
Posted by Eric Sachs, Senior Product Manager, Google Security
A year ago, a number of large and small websites announced a new open standard called OAuth. This standard is designed to provide a secure and privacy-preserving technique for enabling specific private data on one site to be accessed by another site. One popular reason for that type of cross-site access is data portability in areas such as personal health records (such as Google Health or Microsoft Healthvault), as well as social networks (such as OpenSocial enabled sites). I originally became involved in this space in the summer of 2005, when Google started developing a feature called AuthSub, which was one of the pre-cursors of OAuth. That was a proprietary protocol, but one that has been used by hundreds of websites to provide add-on services to Google Account users by getting permission from users to access data in their Google Accounts. In fact, that was the key feature that a few of us used to start the Google Health portability effort back when it was only a prototype project with a few dedicated Googlers.
However, with the development of a common Internet standard in OAuth, we see much greater potential for data portability and secure mash-ups. Today we announced that the gadget platform now supports OAuth, and the interoperability of this standard was demonstrated by new iGoogle gadgets that AOL and MySpace both built to enable users to see their respective AOL or MySpace mailboxes (and other information) while on iGoogle. However, to ensure the user’s privacy, this only works after the user has authorized AOL or MySpace to make their data available to the gadget running on iGoogle. We also previously announced that third-party developers can build their own iGoogle gadgets that access the OAuth-enabled APIs for Google applications such as Calendar, Picasa, and Docs. In fact, since both the gadget platform and OAuth technology are open standards, we are working to help other companies who run services similar to iGoogle to enhance them with support for these standards. Once that is in place, these new OAuth-powered gadgets that are available on iGoogle will also work on those other sites, including many of the gadgets that Google offers for its own applications. This provides a platform for some interesting mash-ups. For example, a third-party developer could create a single gadget that uses OAuth to access both Google OAuth-enabled APIs (such as a Gmail user’s address book) and MySpace OAuth-enabled APIs (such as a user’s friend list) and display a mashup of the combination.
While the combination of OAuth with gadgets is an exciting new use of the technology, most of the use of OAuth is between websites, such as to enable a user of Google Health to allow a clinical trial matching site to access his or her health profile. I previously mentioned that one privacy control provided by OAuth is that it defines a standard way for users to authorize one website to make their data accessible to another website. In addition, OAuth provides a way to do this without the first site needing to reveal the identity of the user — it simply provides a different opaque security token to each additional website the user wants to share his or her data with. It would allow a mutual fund, for example, to provide an iGoogle gadget to their customers that would run on iGoogle and show the user the value of his or her mutual fund, but without giving Google any unique information about the user, such as a social security number or account number. In the future, maybe we will even see industries like banks use standards such as OAuth to allow their customers to authorize utility companies to perform direct debit from the user’s bank account without that person having to actually share his or her bank account number with the utility vendor.
The OAuth community is continuing to enhance this standard and is very interested in having more companies engaged with its development. The OAuth.net website has more details about the current standard, and I maintain a website with advanced information about Google’s use of OAuth, including work on integrating OAuth with desktop apps, and integrating with federation standards such as OpenID and SAML. If you’re interested in engaging with the OAuth community, please get in touch with us.
For those of you who are lucky enough to be be part of the GrandCentral Beta Program, there’s a new toy on the Google Mac Playground. Vocito* is a quick dialer that lets you dial your phone directly from your desktop.
The AppleScript connection makes it easy to have Vocito automatically dial your phone from just about any application that supports scripting or Automator actions. For example, you can easily set up your iCal meeting appointment to automatically dial the conference call for you at the correct time.
Since GrandCentral is currently in a limited beta, we don’t have any more invites to hand out right now. So those of you without a GrandCentral number don’t get to play just yet, so please reserve your number now to get in on the action as soon as more invites become available.
* Vocito is “call” in Latin. According to most scholars, Latin speakers used a hard ‘c’ (sounds like an English ‘k’) as opposed to the soft ‘c’ (sounds like an English ‘ch’) used by Italians and the Catholic Church. We decided to go with the hard ‘c’ to give us some street cred with all the Latin scholars out there. If it was good enough for Julie, it’s good enough for us.
Call me lazy, but sometimes I just don’t have the time or the patience to type a search query on my iPhone. Well, no more excuses. With the new release of the Google Mobile App for iPhone, I can just hold the phone to my ear, wait for the tone and say stuff like “Indian restaurants.” And just like that, I’m looking at a bunch of places that will easily satisfy my craving.
And, of course, while I’m enjoying my Tandoori chicken, I can use the voice search feature to settle important disputes with my friends without ever having to lift a finger. I say “lyrics to Purple Haze” and Google quickly proves I was right. Ha ha! “How much wood COULD a woodchuck chuck?” I knew it! “Where HAVE all the flowers gone?” Wow. Didn’t know that one.
The new release can also make use of my current location when I search. So whether I’m in San Francisco, Chicago, or New York City, “Indian restaurants” is all I have to say to get my next Tandoori chicken fix.
Just remember not to search with your mouth full. It’s going to be harder now, for sure.
To get the latest Google Mobile App for iPhone, go to the App Store and search for “Google Mobile App.” Note that voice search will be enabled by default for U.S. English users only. You can learn more about the new Google Mobile App for iPhone on the Google mobile blog and by watching this overview video:
Posted by: Tom Duerig and Nicholas Weininger, Software Engineers
Earlier this year when we launched Google Site Search, and AdSense for Search started using the Custom Search platform, we created a special Custom Search Engine (CSE) index for enhanced indexing. Webmasters could submit Sitemaps in Webmaster Tools, and the Custom Search platform indexed URLs from these Sitemaps into a special CSE index for more comprehensive coverage.
This solved an important problem: the need for enhanced index coverage for site search. The special CSE index, in addition to the Google index, enabled us to search deeper on selected sites, providing higher search quality.
Today, with our launch of On-Demand Indexing, we’re addressing the need to provide fast indexing for your important, frequently-changing content. On-Demand indexing allows anyone with a Google Custom Search Engine or Google Site Search to identify and tell us about new pages or recent site changes by submitting a Sitemap to our Webmaster Tools. You can then select thisspecificSitemap in the Indexing tab of your CSE control panel and hit the new “Index Now” button. We will immediately schedule the relevant pages for crawling and indexing, and these pages will be included in your search results usually within 24 hours – often much faster.
We realize that new or frequently updated content is often crucial to a website. In order to give you more control over how you use the On-Demand Index resources allocated to you, we will honor the priority and lastmod attributes that you provide in your Sitemap – this means you can identify what URLs should be given preference. Please ensure that your Sitemap metadata is up-to-date.
On-Demand Indexing uses a special index that is designed just for Custom Search. The main Google search indexing process is separate and uses different selection criteria, so submitting pages for On-Demand Indexing will not make them appear any faster in the main Google index, or impact ranking on Google.com. For more information on On-Demand Indexing, as well as the allocation per CSE, please refer to our FAQ.
We are always listening at our Custom Search discussion group, so please continue to tell us what features you’d like to see added to Custom Search.
We are happy to announce the release of voice and video chat in Gmail. Now you can chat in high quality audio and video with your Google Talk contacts from Gmail. Check out the details on the Gmail blog and the Official Google blog.
The Reader team is happy to announce that another 20% project has come to fruition: automatic translation in Reader! Post by 20% volunteer and glottology expert, Brett Bavar.
Believe it or not, the web truly is world-wide. That means there is a lot of interesting content out there in languages other than your own. You might have missed out on this content in the past, but now, with automatic translation in Reader, you don’t have to miss a thing!
Next time you find an interesting feed in another language, just subscribe to it as normal in Reader. When you view the feed in Reader, check off “Translate into my language” in the feed settings, and (voila!) the feed will be immediately translated for you. Also, this setting will be saved so you can always view this feed in your own language.
Many thanks go out to the awesome engineers on the Google Translate team, who have provided the technology to make this possible. As they continue to make their translation systems better, you will get to reap the benefits automatically.
Have fun discovering all the great content out there on the truly world-wide web!
One of our goals at Blogger is to make it easy for authors to get feedback on their content; we believe that authors are driven in part by the reactions and criticisms offered by their readers, and that these interactions enhance the quality of blog content. In support of this effort, we’re launching Reactions, simple annotations chosen by authors and given by readers.
With Reactions, readers can easily respond with one click, increasing feedback on posts.
To enable Reactions, log in to your dashboard, go to Layout > Page Elements and click the Edit link in the Blog Posts element to open the blog post configuration tool. Then, check the box next to Reactions, edit your reactions as a comma-separated list, and click Save.
Reactions works with Layouts templates, though if your template is heavily customized, you may have to reset your widget templates for Reactions to appear. If you have a Classic template you will need to switch to Layouts to use Reactions.
Of course, Reactions isn’t the only way to gather great feedback from readers; we also recently launched the Embedded Comment Form. With both Reactions and better commenting, we aim to make it easier for you to get the response and adoration you deserve.
Try Reactions now! We hope your reaction is <3.
Updated, 2:30 PM: Corrected to say that Reactions is a Layouts-only feature.
Here at Blogger we’re always working to make the site and your blogs faster and more reliable. We want you to think of us as a big truck: able to handle anything you can dump on us.
Tuesday’s election was a good chance to see just how big a truck Blogger actually is, and we’re happy to report that Blogger-hosted blogs, for the most part, held up under the record-setting traffic.
That being said, there were definitely some hiccups (potholes?) along the way. Our favorite political and polling analysis blog, FiveThirtyEight.com, received an order of magnitude more visitors than the next most visited blog. They also received more than 50 times as many comments as the next most commented-on blog. Unfortunately, this traffic caused some publishing delays for Nate and Sean as well as some intermittent slowness on their site.
After we got word of the trouble, we were able to shift some resources around to keep things running fairly smoothly for the rest of the night. Now that traffic has calmed down, our engineers are hard at work tuning and improving Blogger based on the experience.
We’d like to thank bloggers, commenters, and readers for participating in one of the biggest blogging events ever. Your voices validate what we do, and every day we look forward to making Blogger faster and better for you.
Believe it or not, the web truly is world-wide. That means there is a lot of interesting content out there in languages other than your own. You might have missed out on this content in the past, but now, with automatic translation in Reader, you don’t have to miss a thing!
