Gmail cookie stolen via Google Spreadsheets

Security researcher Bill Rios reported Monday that a cross-site scripting (XSS) attack against Google Spreadsheet could have exposed all of Google's services. XSS can occur whenever a legitimate site accepts input from the user but does not filter that input properly and could allow the injection of potentially malicious instructions. In this case, however, once an attacker gained access to any xxxx.google.com site, they would have access to other Google services, such as Gmail, Docs, and Code.

In an e-mail to CNET News.com, a Google representative confirmed that the flaw as described by Rios has been fixed. "Google takes the security of our users' information very seriously," said a Google spokesperson. "We worked quickly to address the vulnerability and rolled out a fix before it was reported publicly. We have not received any reports of this vulnerability being exploited."

According to Rios, he was able to use Internet Explorer to change the content type of the HTTP response being returned to the server while using Google Spreadsheets. At issue here is whether or not the browser will ignore the content-type header in certain circumstances. Rios points out that all browsers have the potential to do this under certain circumstances, thus the problem isn't entirely with Google.

In his blog, Rios created a spreadsheet, placing an alert (document.cookie) script string surrounded by HTML tags in the first cell. When that string content is saved and downloaded as a comma-separated value or CSV, the content type should be text/plain. However, since Rios added HTML to the string, Internet Explorer will see that first and render it as HTML instead.

Whenever a victim is lured to this CSV URL, an Alert dialog box will pop up on the attacker's desktop containing the victim's current Google session information. The session cookie would be valid on other Google services used by the victim such as Gmail, Docs, etc.

Rios offers this XSS flaw as a cautionary tale, and recommends that security-minded readers check out a paper by Blake Frantz of Leviathan Security. In "Flirting with MIME types," Frantz found that, while other browsers were also indiscriminate about rendering file types as HTML, IE did so on 696 file types out of 735 tested. To give perspective, the next closest was Opera at 14, with Firefox at 8, and Safari at 7.

[ppgreat]

And the lesson is ....

... spelled out in the numbers at the end of the story as to which
browser to avoid.

Do you people need a house to fall on you??

[Vegaman_Dan]

Simple answer, wrong question.

This affects more than IE as it turns out. The article is about Google's vulnerability. You can try it out with Firefox, Opera and Safari if you wish as well.

[bruceslog]

the lesson is really

The biggest lesson I learn with these exploits is that Free software and web services, such as and particularly Google, always seems fix these exploits as they arise very quickly, and with class. Whereas the software that we have to pay an arm and a leg for ?? We wait for fixes and patches when the company gets around to it.. which sometimes takes them years to patch. Heck, some well known firms have exploits in their that were revealed many years ago that are still not fixed.

Kudo's to Google again, and again !
Stories like this make me realize who I should trust more.

[gggg sssss]

dont use public websites

for anything confidential. Will salesforce.com be next?

[aintnorainbowdorothy]

Stolen cokies.....

are proven to be from all Browsers. Sure IE had the most, but just how many people really use Google Spreadsheets. Or g-mail for that matter. Safari has a few big holes, as does Opera. All Browsers caqn be broke into, it just happens that the amount of users of IE far outstrips the sum of all users of the other Browsers.