Another Google security hole

This simple hole allows any site to change your Google preferences behind your back. Someone could change your Google interface language to Pig Latin. (Why Pig Latin rather than, say, Russian? It's more fun, and the " in English" link isn't as obvious when the surrounding text looks like English.) Someone could make your searches only turn up English results. Worst of all, someone could stop you from using Google to search for porn by turning on SafeSearch.

Slashdot's solution to this type of hole is "formkeys". I don't know how other sites solve it. But one incorrect solution is to check referrers. (Update May 5, 2005: I'm no longer sure checking referrers is incorrect.)

One Response to “Another Google security hole”

  1. Jesse Ruderman Says:

    Bugzilla doesn’t use formkeys: