Fake website ID certificate poses threat to Google+
A security lapse that could have allowed hackers to fool people that they were on Google+ has been thwarted at the last-minute. Expert web browser makers have rushed to correct the loophole which could have seen cyber theives impersonate one of the world’s largest and well-known web sites.
It is thought that the security lapse occurred by exploiting Google+ ID credentials, these are the tools that browsers use to ensure a website is who it says it is.
If you manage to use fake ID credential, you can mimic any website, and cyber hackers could have indeed created a website that users thought was part of the Google+ social network.
The mistake has been traced back to a Turkish security firm TurkTrust who supposedly issued them in error. In a statement from TurkTrust, they said that there was no evidence the data had been used for dishonest purposes. But this is not the first time that the Turkish company have accidently issued the wrong type of security ID credentials, as in August 2011 it mistakenly gave out the wrong type of security credential, a form of identification known as an intermediate certificate.
Instead of issuing low-level certificates it mistakenly gave out what amounted to “master keys” which could have allowed a bogus site to pretend it was the legitimate version without triggering a warning.
Security analyst Chester Wisniewski from Sophos explains in a blogpost the difference between certificates: “An intermediate certificate is essentially a master-key that can create certificates for any domain name. These certificates could be used to impersonate any website to any browser without the end-user being alerted that anything is wrong.”
The certificates are important, he said, because secure use of web shops and other services revolve around interaction between the “master keys” and the lower level security credentials.
Luckily Google+ has built-in security checks that are automated and it was during one of these checks that the error was spotted. Google’s Chrome browser noticed someone was using the program with an unauthorised certificate for the “*.google.com” domain. If this error had gone unchecked, the person could have gone onto to impersonate Google+, Gmail and other services run by the US firm.
This means that basically the person would then be potentially able to hijack any communications sent by users to the real Google+ network and target sensitive information.
Google+ have passed on a warning to other browser makers after the threat to their security was discovered. This prompted Microsoft and Firefox developer Mozilla to immediately issue updates which revoked the two wrongly issued intermediate certificates.
It is not known who was the person that breached the security of the ID certificate, or what their intention was. This is not a new problem however, as fake certificates have been issued before now from other firms which have allowed cyber thieves access to passwords and login details.
“It is really time we move on from this 20-year-old, poorly implemented system,” wrote Mr Wisniewski. “It doesn’t need to be perfect to beat what we have.”
Source: BBC News