blog of the software engineering student and occasional tweeter

Google Search and Google DNS outage

Monday, October 13th, 2014

It really isn’t every day that your Google Search request fails with:

Server Error
We're sorry but it appears that there has been an internal server error while processing your request. Our engineers have been notified and are working to resolve the issue.
Please try again later.

My two subsequent attempts also failed with the same error, but it got back into working order after that.

I quickly searched this message on Google Search – after it was working of course – and found something else you also don’t quite see every day:


Crawled “38 secs ago”? Someone else’s discovery is definitely related.

Just minutes before however, and could not be reached from my location, which are usually reached in around 24ms. Over 30 minutes later, it was finally rerouted to somewhere else with a latency of 174ms. I’m not sure if these issues are related, but something has definitely gone wrong somewhere.


A 30-minute outage and then a reroute to a location outside of Australia.

I wouldn’t be surprised if some admins at Google were running around with their hair on fire.

Google Hangouts Have Stupidly Obvious Security Flaws

Tuesday, May 21st, 2013

I was just watching, as part of YouTube Comedy Week, a live broadcast of Day 1 — YouTube FanFest with HP, hosted in Singapore. It featured a Google Hangout with one of my favourite YouTube celebrities, Natalie Tran aka communitychannel, who lives in Australia and was unable to make it to Singapore for the live event. Now, you would expect IT security to be decent when it comes to a YouTube event like this one, even more so considering the event was sponsored by a large corporate company like HP. But it really wasn’t, and I feel both ends are to blame.

The Google Hangout session was screencasted by the host at the event in full-screen view, and by that I mean you could see the entire screen real-estate, taskbar, notification area and menu bars included.


You were therefore able to see the Google Hangout session identifier very clearly in the URL, in 1080p HD. Take a look above; it’s That means any one of the 5,300+ people watching live on YouTube were able to simply type the URL into their browser, reading it off the YouTube video like I did, to hijack the Google Hangout session and talk to Natalie Tran (♥). And two people did at 2 hours and 37 mintes in. One of them apparently flashed a naked photo, which happened while the camera was pointing at the audience and you could see everyone laughing. Neither the host nor Natalie Tran knew what was going on but they went along with it for a short while, with Natalie awkwardly joking about how they are her Internet boyfriends and such.

While that is funny, it’s not acceptable. First of all, the browser used at the live event, which as seen above was Google Chrome, should have been in full-screen mode obscuring any URLs from view. Secondly, and this is the real issue: Google developers should have been less naïve and realised that just because it’s not probable that an outsider will be able to view the URL of a Google Hangout, it doesn’t mean it’s a good idea to show the session identifier in plain text in the URL. They should have used a session cookie, which is not so obvious and oblivious to those who can see the screen of a Hangout user with a Hangout in progress.

Knowing the session identifier, anyone is able to join a Google Hangout without authorisation from anyone presently in the Hangout. Since I don’t use Google Hangouts, I don’t know if there exists a way to force authorisation before joining, showing video and speaking on a Hangout, but if there isn’t, this is an absolute failure of product security by design and requires urgent attention.