Comment Re:The Microsoft argument (Score 3, Insightful) 232
As the reporter of the first bug reported in the register article, I certainly didn't go looking for it because of google, it was trivial to find, I found it 2 1/2 years ago (you can see a usenet post from 2002 which describes it, when XSS into google didn't matter much, phishing was new, and google had no data)
The reason we're getting this deluge of security flaws in google now is simply because people are now looking, they're easy to find, the XSS flaws are trivial (like ignoring you're encode user input before writing it into the page)
The issues are Googles lack of QA and security testing - do you think it's reasonable to release an HTML product which searhed personal data on peoples machines without having a test which provided some javascript as the search term? I think the failure to do that is incompetence of a level that makes MS's old security look good.
Yes, Google have fixed the flaws quickly, that's because the flaws are trivially easy to fix - html encoding a string isn't hard, even in python.
The reason we're getting this deluge of security flaws in google now is simply because people are now looking, they're easy to find, the XSS flaws are trivial (like ignoring you're encode user input before writing it into the page)
The issues are Googles lack of QA and security testing - do you think it's reasonable to release an HTML product which searhed personal data on peoples machines without having a test which provided some javascript as the search term? I think the failure to do that is incompetence of a level that makes MS's old security look good.
Yes, Google have fixed the flaws quickly, that's because the flaws are trivially easy to fix - html encoding a string isn't hard, even in python.
