In early 2009, Google announced it had been subjected to a “highly sophisticated and targeted attack” on its operations in China, with part of the attack targeting email accounts used by Chinese human rights activists. The incident has sparked an international policy dispute between China and the United States, and has seen Google shut down portions of its China operations and move its Google.cn search service to Hong Kong where it can operate outside the Chinese government’s censorship regime. Now the New York Times, citing an unnamed source with “direct knowledge” of the investigation, says the attack was after more than some Gmail accounts: it targeted Google’s single sign-in password system, widely regarded as on of the company’s most crucial technologies.
Google one-password technology, known in-house as “Gaia,” enables users to use a plethora of Google services—from Gmail to calendars to Google Apps to Picassa photo sharing to blogs to Google Wave and much more—without having to sign into each Google service separately.
According to the story, the attackers do not appear to have been able to access passwords of Gmail users, and Google quickly responded to the attack by making “significant” changes to its security and network profile after the attack. However, the story raises the possibility that Google’s single sign-on system may have been compromised. Attackers specifically targeted Google developers working on Gaia, and were able to access a group of computers at Google’s Mountain View headquarters, including a software repository.
As Google’s emphasis increasingly shifts to mobile and cloud-based services, security flaws with a single sign-in system could potentially put a great deal of business and personal data at risk.
