Your next computer virus will come from … Google.

Or at least the next phishing scheme you look at might. Or worse yet: the next time you see something that looks like a phishing scheme, and aren’t sure whether to trust it or not, you may have no-one to blame but Google for the problem.

Holy cow.

In a case of “sticking their head in the sand” that may be even worse than Apple refusing to acknowledge the existence of the Mac Defender Malware Threat, Google has created a situation that could act like a virus on your computer, no matter what kind of computer you use, and they’ve tried to cover that up.

Harsh charge, I know. And maybe it wasn’t a cover-up so much as a “well, that would be embarrassing, so we’d better try to get people to stop talking about it”.

Oh wait; that’s a cover-up.

If the folks at F-secure are to be believed, when they did a bit of research into security problems in Google Docs, Google asked them to cover their tracks. Because there’s always the chance that F-secure could wimp out, I’m reproducing the information Google asked f-secure to squash and F-secure’s accounting of that here:

Here’s the URL to the form:

Updated to add: We got contacted by a Google employee.
They informed us that, surprisingly, the questionable page is indeed the official Google form to request Google Voice account transfer. They also told us to remove all references to the form in this blog post. But I’m afraid we can’t do that.

Insecure Google Voice Form At Google Docs


Aside from that whole messy “cover-up” thing, here’s why this is so troubling:

Computer viruses are bad news. That’s obvious enough, and despite the fact plenty of people still either don’t use anti-virus software or don’t keep theirs up to date, anti-virus is one of the few things that almost everyone understands is a real issue in everyday computer use.

Even better, everyone knows what to do about it. Again, too many people fail to keep their anti-virus software current, but at least everyone knows that they should. But now, the issue gets murky.

A computer virus is a piece of software that creeps into your computer unannounced, riding on the back of a legitimate piece of code. Anti-virus software is designed to catch that. Malware (like Mac Defender), on the other hand, is software that pretends to be one thing, but is really another. Malware has the same effect as a virus, though; once you install it, malware does something on your computer that you don’t want, and is hard to get rid of. And the good news is that your anti-virus software is probably also anti-malware software.

But then there are the threats to your computer and your security that are harder to define, and harder to decide responsibility for defending against. Phishing is when you are asked for information you shouldn’t be giving out, like a password or a credit card number, or social security number, by someone masquerading as someone else.

That one’s a user responsibility thing, and just like “don’t cross the street until you look both ways to be sure it’s safe”, we all need to learn that you don’t give out your passwords on-line. Ever.

With that said, Google, the other search companies, and the companies that make browser software all include anti-phishing measures in their wares. You’ve probably encountered a warning while on the Internet, where instead of going to a page you clicked a link for you got a message either warning you that the page has been reported as dangerous or flat-out refusing to let you go to a page.

And that’s good. And no, I’m not for one second going to advocate that since some responsibility for you has been taken that the Googles of the world need to take full responsibility. Coffee is hot. Don’t spill it on yourself, and don’t sue the restaurant that served it to you if you do spill it. Why? BECAUSE COFFEE IS HOT.

But because when you open a Google Docs document it’s hosted on a Google server, that document is assumed to be safe. Anyone keeping a database of potential security threats isn’t going to include Google in that database. And while Google could move publicly-created pages onto other servers and remove the security certificates from those servers, leaving us all to fend for ourselves, they aren’t going to do that.

Which brings us full circle. Google Docs is cool, created and hosted by Google, and free for many uses. So the underlying points are simple:

  1. Don’t EVER give out your secure information
  2. Google, don’t ask people to do so, as you have in the form at

Is this a re-cap of Google asking you to pay them for security? I hope not, and don’t think so. Is it tied into Google simply not caring about your security? No. And I wish I could draw that connection.

It’s not even like the misdirect that Google pulled when they introduced Google Dashboard, alluded to some security improvements, but actually lessened security.

It’s worse. It’s Google being careless in the use of their own tools, pretending otherwise, and then trying to cover their tracks.

We should be able to expect better. But Business Change sometimes happens by accident, and as Google gets bigger and bigger they become all but unmanageable in some regards. Having a form do something that violates basic security tenets is bad, but covering it up instead of just fixing the problem? Unconscionable.

Or just hope it’s all OK.

