Fri

May 6
2005

Rael Dornfest

Rael Dornfest

Google Web Accelerator considered overzealous

Some users of 37 Signals's new Backpack web application started noticing yesterday that their backpacks had been rifled through and a page here and there had simply disappeared. A little digging found Google's new Web Accelerator to be the culprit. Writes Jason Fried:

The accelerator scours a page and prefetches the content behind each link. This gives the illusion of pages loading faster (since they’ve already been pre-loaded behind the scenes). Here’s the problem: Google is essentially clicking every link on the page — including links like “delete this” or “cancel that.” And to make matters worse, Google ignores the Javascript confirmations. So, if you have a “Are you sure you want to delete this?” Javascript confirmation behind that “delete” link, Google ignores it and performs the action anyway.

Since the same could be said of about any web spider or bot -- including the Googlebot every new site owner wants so desperately to visit -- why then is Web Accelerator any different? Spiders all meander about in about the same manner, traversing the Web by visiting pages and clicking links recursively, link to page, link to page, ad nauseam.

The difference lies in just who is doing the the clicking.

Web-dwelling spiders are typically locked out of a web application's personal view: the view with all those administrative links like "Delete Entry," "Add Item," and "Drop Table." The Google Web Accelerator, on the other hand, sees the web as you do -- administrative warts and all. As an example, take a gander at a sample phpMyAdmin view (a web application for managing your MySQL database) and notice all those red Xs. If you clicked, for instance, "Drop," you'd be dropping the entire database table at hand. But not without a popup JavaScript confirmation: "Do you really want to DROP TABLE..." which would send most people into shock, followed by a quick click of the "Cancel" button, if they'd not meant to click the "Drop" button. The Web Accelerator summarily ignores this warning (actually, it most likely doesn't even notice it, nor could it likely be taught to understand such confirmations in any reliable automated fashion). And this spider is doing all this clicking preemptively, prefetching anything within your purview you might actually chance to click on in the near future.

While there's much hay to be made about the inapplicability of simple GET links (i.e. your run-of-the-mill hyperlink) to actions that result in change (i.e. deleting rather than simply visiting something), it is well known that web applications in the wild often don't follow those safety standards. PHPMyAdmin, mentioned in the previous paragraph, is rife with potentially destructive GETs. Even Google's own Blogger weblog application has its share of destructive GET actions; comments Anil Kandangath: "To see a dangerous use, you have to look no farther than Google’s own Blogger. If you post a comment on a blogger weblog, and if you are logged on, you can see a delete icon near your comments. If you are the owner of the weblog, you can see the delete icon near *all* the comments." I wonder if Blogger users have noticed their comments disappearing? (And if not, why not?) A quick look through Gmail finds pretty well everything potentially inbox-altering sitting behind a nice safe POST.

Yes, one could argue that only "badly designed" web applications that don't follow the rules of GET and POST will be affected, but I'm not sure this is an argument that Google (or anyone else who actually builds or uses web apps in the wild) would care to make in this situation.

(Not to mention the purse annoyance value of your Web Accelerator clicking all those "Logout"/"Sign Out" links on the sites you visit -- and those certainly are not usually seen as POST-worthy.)

There are some rules with regard to prefetching, but but as 37s SVN reader "matthew" comments: 'It appears that google is going past the standards of "prefetching”, at least as described by mozilla. that faq makes a point that “URLs with a query string are not prefetched” and “https:// URLs are never prefetched for security reasons”'. (That said, Ruby on Rails apps like Backpack do format queries that might usually be appended to URLs using a ? as fully formed URLs like http://username.backpackit.com/pages/blank_slate.) Now a webmaster FAQ on the Google Web Accelerator site (and when I say "on the site" I mean that it was on the site and seems, at the time of this writing, to have disappeared) does suggest how you might make some suggestions to the Web Accelerator about what _should_ be prefetched (applying a rel="prefetch" attribute to those links), but not how to specifically say not to prefetching. If you're running an Apache server, Shane Allen suggests some rewrite magic based on the HTTP_X_MOZ header; you should find something apropos for your particular server and application combination.

Until this is all sorted out, if you build or host web applications, you might want to take some of the precautions being bandied about today. Here's one for Ruby on Rails apps. And there are various embedded in the discussion following the 37 Signals blog post on the issue.

In the meantime you can keep up with the conversation on the 37 Signals blog and Web Accelerator Google Group.


tags:   | comments: 30   | Sphere It
submit:

 
Previous  |  Next

0 TrackBacks

TrackBack URL for this entry: http://blogs.oreilly.com/cgi-bin/mt/mt-t.cgi/4018

Comments: 30

  Simon Willison [05.06.05 01:30 PM]

There's an interesting thread about this forming on my blog. It seems that there's another disadvantage to state changing GET's that people rarely consider: malicious web pages can take advantage of them to trick your browser in to deleting things using an embedded iframe or similar, pointed at the link. Since your browser is already authenticated with the application (with cookies or HTTP Auth) a craftily constructed page could cause havoc.

  Kevin [05.07.05 05:15 PM]

The Web Accelerator backlash gains pace - nowebaccelerator.com

  00blog [05.08.05 10:06 AM]

the web accelerator loses pace - google stopped distribution of the plugin.

  pb [05.09.05 10:24 AM]

The pre-fetching functionality is vastly mis-understood. While Google dropped the ball on documenting how GWA behaves, it's obiously NOT pre-fetching every "href" or "form get" on a page. Google reported that it doesn't fetch URLs with "?" in them. It's unlikely that it's providing the cookie which most sites would require for session management. And it's not even clear if GWA is purposefully pre-fetching any links that are not explicitly makred for prefetching with "link rel=prefetch".

Part of Backpack's problem is that it doesn't use querystrings. Ex:
http://test.backpackit.com/page/8144
as opposed to
http://test.backpackit.com?page=8144

  Lucas Gonze [05.09.05 08:12 PM]

I'm skeptical that the problem exists. It would involve fairly amateurish mistakes by the Google developers. Also, I haven't seen any high quality reports of people reproducing the damage in their own testing.

My guess is that this is pure hysteria.

  Michel Mahieu [05.13.05 03:14 PM]

Dear Sir,

I can not download "Google web accelerator" because iI do not find the place where i can download it.

Can you help me please?

Michel Mahieu

michelmahieu62@skynet.be

  ronald [11.05.05 12:57 PM]

webaccelerator.google.com

  James [12.06.05 06:20 AM]

The ability to pre-fetch a page will never be justification enough for me to download and use such a piece of software. Not when it has the potential to mess up what already works for me. The web is blazing fast enough, thank you.

  Len [12.15.05 06:25 PM]

I installed it and after a few days removed it.
It seemes to save a couple of seconds the first few days but then pages wouldn't open. After hours of figuring out why, Googling found the answer. The web accelerator placed http://localhost:9100/proxy.pac under "use automatic script" in IE options/lan settings.

I couldn't delete the url. It would keep coming back by itself.
After uninstalling Web accelerator, the problem disappeared.
Good riddance.

  Jim Ellis [05.25.06 02:03 PM]

I cannot get web accelerater uninstalled-what a bad download-can any one help me!!Thanks Jim

  Mark [07.13.06 07:50 PM]

I don't know what your talking about it hasn't done any thing on my computer except make the web faster and I have had it for a year

  r reynolds [07.17.06 02:51 PM]

How can I cancel Google Accelerater?

  Glenn Reiser [07.17.06 08:24 PM]

This web accelerator program totally hijacked my internet connection, making it impossible for me to delete the localhost.9100/proxy.pac from the Lan Settings. I deleted the Google Web Accelerator Program and immediately was able to connect through IE, though I see the proxy.pac file still remains in the background of the manual configuration setting which is disabled and even though the automatic configuration is enabled

  Glenn Reiser [07.17.06 08:26 PM]

Reply to R Reynolds - go into your control panel, add/remove programs and remove Google Web Accelerator - worked for me

  Bonnie McCarthy (Drumm) [08.17.06 01:43 PM]

CANCEL GOOGLE ACCELERATOR, AT ONCE!

  No use... [10.03.06 06:50 AM]

There will never be justification for the use of web accelerators... if you download the application you're just at fault as the developer of such worthless junk.

  this thing is usless [10.12.06 07:33 AM]

Google, has opened a door to bad things
-annonymissy like guy found on the internet to post here for some uknown reason.

  Not Too Creepy [11.07.06 07:21 PM]

The GWA appears to conflict with the Fasterfox, and their Performance Data is highly specious.
If you have a Mozilla browser w/ Fasterfox (which is vastly more compatible), that's enough. GWA is a fool's paradise, all!

  Not Too Creepy [11.07.06 07:22 PM]

The GWA appears to conflict with the Fasterfox, and their Performance Data is highly specious.
If you have a Mozilla browser w/ Fasterfox (which is vastly more compatible), that's enough. GWA is a fool's paradise, all!

  Travon Sweat [11.16.06 10:09 PM]

Veteran game show host Bob Barker is stepping down from hosting The Price is Right after 35 years...

  Catherine Clark [01.28.07 07:47 PM]

i cant delete gwa through add and delete programs any other suggestions?

  Sam [02.09.07 09:02 AM]

After downloading the Google Web Accelerator some web pages would not be displayed properly. It would not display pictures on the internet properly. Take my advice, DO NOT DOWNLOAD THIS WEB ACCELERATOR.

  Viking [02.16.07 05:23 AM]

It seems that Google´s webaccelerator are full of leaks and bugs !!! If you are concerned and if you are worried about security issues DON`T DOWNLOAD THIS WEBACCELERATOR !!!

A controversy arose with the original implementation of the accelerator as some users found that their personal website cookies were being shared with other users accessing the same page.

For example, some users were able to view pages such as forum control panels containing personal information from other users, and it was therefore possible to spoof a post as another user. Secure websites were unaffected as the Google Accelerator did not scan sites protected by https.

But as long as Google can´t or will not guarantee the safety and security by using Google Webbaccelerator the general recomendation from mostly every computer-securityexpert that NOT DOWNLOAD Google´s Webbaccelerator untill Google make a official guarantee that it´s totaly 100 % secure to use their webbaccelerator...

  Micheal Han [07.19.07 01:04 AM]

I don't think it GWC is not good at all. It best serve for people who didn't surf so much only, Plus it also give an option where you can turn it on or off.

  Micheal Han [07.19.07 01:09 AM]

Catherine Clark - If you're using Firefox, You can remove Google Web Accelerator by Select Menu Tool --> Add-On.

  Mark Nottingham [07.27.07 11:07 PM]

I like a world with GWA; it reminds people that they have to pay attention to the technology they use, or face the consequences.

  barbara wright [10.26.07 06:35 PM]

cancel my google connection

  J.O. Urban [10.29.07 12:51 PM]

Couldn't such a problem be simply fixed by instructing the accelerator to ignore certain types of links and only follow links with certain characteristics? But besides the imagine all the wasted bandwidth used up on such an accelerator. Overall pretty bad concept I must say.

  ruhan [02.21.08 01:54 AM]

The Emu (yazilim) and digital some (kanallarin) coded while loaded to the dependent receivers ' memories a password while becoming alive. The time which you loaded your machines the Emu (yazilim) your problematic salesman who will exist to the you the guaranty which she offered does not enter your extent. Which the (yazilim) were not produced after the expert is produced from a persons side undefined.

Asansör

  Flyinseamnky [07.17.08 08:04 PM]

For those of you who have installed it, and ran ito the http://localhost:9100/proxy.pac under "use automatic script" in IE options/lan settings problem. And have been able to simply uninstall the program, and have your internet work, consider yourselves lucky! I uninstalled, and the setting is still there, preventing any browser program from accessing the internet. Although ping services(IM) still work. I cannot seem to find the problem, and fear that I am going to have to clean install XP. I found some websites with a program called Hijackthis, but I have not read any feed back from people who have used it, stating that it worked. The most current thread I am following is: http://forum.aumha.org/viewtopic.php?f=30&t=28074 I am up to downloading Java JRE file now from my wife's computer. We will see how that goes. If you are thinking about installing it, don't! If you have any ideas on how to fix it, please reply here.

Post A Comment:

 (please be patient, comments may take awhile to post)






Type the characters you see in the picture above.

RECENT COMMENTS