An unofficial blog that watches Google's attempts to move your operating system online since 2005. Not affiliated with Google.

Send your tips to gostips@gmail.com.

January 14, 2007

Google Fixes a Flaw in Blogger Custom Domains

Blogger Custom Domains, the new feature that allows you to have a blog on your own domain, but hosted by Google for free, had a small bug discovered by Tony Ruscoe and Art-One. When you enter a domain, Google doesn't check if it's your domain (there's no reliable way to do that). To setup your blog, you need to create a CNAME record that points your domain to ghs.google.com. But it's not necessary to do that for ghs.google.com itself.

As Art-One discovered, a blog owner entered ghs.google.com by mistake and his blog was hosted on google.com. The problem is that a page hosted on google.com can read your Google cookie and send it to a server. Someone who has your Google cookie can access your account, if you're already logged in. Fortunately, that blog didn't use any malicious scripts, Google was notified and the problem was fixed quickly.

Tony writes more about the issue and reveals some interesting things:

* You can use Blogger Custom Domains to redirect your blog to another domain or subdomain (you can claim it only once). Even though this feature is useful if you move from Blogger and decide to use another blog software (for example, Wordpress installed on your domain), spammers will have an easier way to redirect BlogSpot blogs to their ugly domains.

* Google should make sure "nobody can host or inject content (and particularly scripts)" on google.com.

* It's a good idea to log out of Google when you're not using Google services and to delete your cookies from time to time (for example, at the end of each bowser session).

Incidents like this are rare and there's no reason to panic.

5 comments:

  1. Do you know if Google intends to have a 'Custom Domain' facility for its pages.google.com service?

    ReplyDelete
  2. There's a problem about .info domain. Anyone got this problem?

    ReplyDelete
  3. Hi there!

    I am just facing something and wondering if it has to do with the same issue. Here is the story:
    I have two blogs: nomadtest.blogspot.com, and blognomadland.blogspot.com

    and one domain name: www.davidg.es
    By error, I switched to nomadtest.blogspot.com to custom domain www.davidg.es. In fact I wanted to swicth the other.

    When I realised I went back immediately, reversing nomadtest to blogger publishing, then switched blognomadland to www.davidg.es. Surprise, error message saying "this domain is being used by another blog".

    So I deleted nomadtest ( the whole blog) and I tried again. Still same error. Seems like a blogger caching error, any idea? Now I can not publish my blog on my own domain.... :-((

    thanks!

    ReplyDelete
  4. try switching back to blogspot.com, enter captcha and everything. then again switch to your custom domain.
    if that fails. change your cname to blank and wait for 24-48 hours. then change back to ghs.google.com and then do the whole blogger custom domain thing again.

    ReplyDelete