UK East Coast rail operator GNER has launched a new website which features an improved booking engine. Prior to this all UK rail operators used a branded version of thetrainline which is looking a bit dated these days. This new site raises the bar as to what to expect from a rail booking engine. (more…)
When former Microsoft blogger Robert Scoble posts such a harsh attack on Microsoft’s ‘Windows Live’ policy you know that they’re in trouble. While he worked at Microsoft he was sometimes critical but never to a great extent. It’s always interesting to see what people think once they leave their former employers and speak more openly.
After criticism from Blake Ross and probably many others, Google has decided to remove its ‘tips’ service. (more…)
The flaw in Google’s webapps that affected Gmail (aka Google Mail in UK and Germany for legal reasons) appears to have been fixed by Google. The JavaScript page that used to list your contacts now returns the following empty list:
google ({
Success: false,
Errors: []
})
This means that the problem reported yesterday is no longer an issue. However, this demonstrates the importance of security in web applications is just as important as security in the browser.
As Slashdot still didn’t update their article, despite numerous comments, I will stress again that this is not a Firefox issue. It is a bug in the site and therefore will show in all browsers.
UPDATE: it seems although that particular issue has been fixed it’s still possible to access the contact list as an XML file, it’ll take a bit more coding for people to steal your contact list but may still be relatively easy. I will keep this site updated with any further news. But for the moment follow the advice in my previous post.
UPDATE 2: it appears that the contact list being accessible via an XML file is not a security risk as standard browser security should not allow JavaScript hosted on one site to process XML from a different domain. Therefore I was not able to create any steps to exploit this and there appears nothing out there in the wild either. Therefore I’m changing the title of this article back to ‘Google Fixes Contact List Flaw’. I thought it was best to err on the side of caution until I could verify if the problem was fixed.
There appears to be a cross site scripting vulnerability with Gmail that affects IE, Firefox and Opera. It’s to do with the way Gmail stores the contact list when you’re logged in. The website that supposedly demonstrates the vulnerability is currently down stating ‘Causing too much trouble already… I am sorry if it causes any inconvenience to you, or make you feeling the insecure of Google.‘ I will see if I can find out more about this within the next few hours.
UPDATE: I’ve checked and this vulnerability does affect all browsers on my system with JavaScript enabled. That’s because the bug is not with the browser, it’s just some badly designed coding from Google. The problem is caused by the fact that the contacts are stored as a plain JavaScript file and this file can be included in a HTML file and manipulated. This functionality has legitimate uses - Google Analytics and Adsense both load external JavaScript files from Googles servers, so browsers shouldn’t remove this functionality, in this instance it’s up to the application developers to consider security in their design.
Slashdot, as usual, have put up a story about this without reading the linked to article. According to Slashdot only Firefox is affected which is not true as it’s a webapp issue not a browser issue.
If you trust this site you can see an example of this vulnerability here. If you don’t trust this site then make sure you’re logged out of Gmail before visiting the page - you will see nothing in this case but selecting ‘view source’ will show you how easy accessing this data is.
Blake Ross has recently blogged about Google Tips and whether it’s a sign that Google are starting to care less about offering an unbiased view and more about pushing their own services.
A while ago I mentioned Yahoo’s customised IE7. Now a blog posting linked to from Slashdot is mentioning that Yahoo is promoting IE7 at the bottom of search pages if you view the site in Firefox or an older version of IE (see here).
I still don’t see how promoting IE7 can be in the long term interests of Yahoo, with Microsoft pusing their Windows Live Search promoting IE is just supporting a feirce rival. Then again some people would say if they’re supporting Firefox they’d support Google but that’s not quite the same. Both Yahoo and Google are in the search drop down list in Firefox. Google may be the default in Europe and the US, but Yahoo is the default in most of Asia. For each Firefox localisation they pick the most popular search engine for each area and it happens to be Google in most of the west and Yahoo in most of Asia.
Even if they felt unsure of Firefox then they could partner with Opera, it’s a much smaller download and a more trustworthy partner than Microsoft. Their special edition of IE7 is almost 17MB to download (even though according to the system requirements you need 12MB of disk space - is this the first app that takes up less space than its installer?), why encourage Firefox users to download that massive browser when to get them to default to Yahoo all they need to do is select Yahoo on Firefox’s drop down.
What’s also odd is the ads don’t appear if you’re using Opera or Safari but appear on Firefox even if you’re using Mac or Linux.
UPDATE: What are Google thinking? Thanks to Blake for spotting this.
The Firefox crop circle is now showing on Google maps. It was part of one of the imaginative Spread Firefox marketing initiatives. It looks like Google were in on the idea - if you zoom out you can see the area taken on that section of the field is newer than the surrounding area and also there’s the cars forming ‘Fx’ below the circle. For more information on this check out the Firefox flicks video blog.
Gmail (known as Google Mail in the UK and Germany for legal reasons) has recently introduced some small improvements intended to make using it easier. (more…)