Google has fixed a security flaw on its Web site that opened the door to phishing scams, account hijacks and other attacks, security researchers said Monday.
The flaw, known as a cross-site scripting vulnerability, existed on the Web site for Google's AdWords advertising program and a customer training site, according to security company Finjan Software, which discovered the problem.
Attackers could have exploited the flaw to hijack Google accounts, launch phishing scams or even download malicious code onto users' computers, according to Finjan. Phishing scams are designed to trick people into giving up sensitive information such as usernames, passwords, credit card details and Social Security numbers.
Finjan informed Google of the bug late last month, and the problem was fixed within 30 hours, said Limor Elbaz, a vice president at Finjan, which is headquartered in San Jose, Calif. "Google's responsiveness was very good," she said.
Google confirmed that it was alerted "a little while ago" and fixed the flaw. "No user data was compromised, and we applaud Finjan for following industry best practices for vulnerability disclosure," a Google representative said in an e-mailed statement.
The security problem existed because forms on Google's Web site did not validate and filter data entered into certain fields. This allowed an attacker to inject extra content and scripts that would run on the user's computer, according to Finjan. To take advantage of the flaw, an attacker would have to craft a special Web link and trick the user to follow it.
"The dangerous thing in the case of Google is that the link would look like an innocent Google link," Elbaz said.
Cross-site scripting flaws are found regularly. Earlier this year, Finjan spotted a similar bug in Microsoft's Xbox 360 Web site. The company earlier identified holes in Yahoo's Web-based e-mail service.
Finjan, which sells products to protect corporate systems against Web-based attacks, has tools to scan Web sites for vulnerabilities. The company regularly puts popular Web sites to the test. "We do this to encourage vendors to improve their products," Elbaz said.
With the cross-site scripting flaw fixed, Google's Web site is now deemed secure by Finjan. "We found that the rest of the Web site is not vulnerable, at least to the cross-site scripting vulnerabilities," Elbaz said. "We will keep following the site."
Earlier this year, a security flaw in Google's e-mail service, Gmail, was identified and fixed. The flaw could have allowed attackers to hijack Gmail users' in-boxes.
As a user of Gmail, and Google Adwords I am very concerned, and at the same time relieved that its been fixed. Such flaws can lead to disappointment. __________________________________ R.K. <a class="jive-link-external" href="http://www.Remove-All-Spyware.com/" target="_newWindow">http://www.Remove-All-Spyware.com/</a>
Now if Google had not reponded to the issue and then Finjan had to go public, it would be a high impact issue.
The fact is there are many outstanding security issues lurking out there in various software products and online websites (and this will always be the case).
Many of these issues will not be reported publicly (until solved) but that does not mean they are not being worked on.
Publicly reporting the issues before the developer/service provider has had ample opportunity to repair is irresponsible.
Conversely it is irresponsible for security experts and the media not to report if there indeed has been ample time to repair.
The balancing act (the topping point) in reporting involves deciding on how much time is enough, and more importanly, how large the security issue is and if any workarounds are available.
This is up to intelligent minds to decide, at both software development companies, so-called security expert/consulting companies, the media and the public at-large.
I thought Google was not talking to cnet? What changed?
Google confirmed that it was alerted "a little while ago" and fixed the flaw. "No user data was compromised, and we applaud Finjan for following industry best practices for vulnerability disclosure," a Google representative said in an e-mailed statement.
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
After a higher-than-expected fourth quarter, the video subscription service unburdens itself of a pending yearlong class action suit and settles for $9 million.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
__________________________________
R.K.
<a class="jive-link-external" href="http://www.Remove-All-Spyware.com/" target="_newWindow">http://www.Remove-All-Spyware.com/</a>
Now if Google had not reponded to the issue and then Finjan had to go public, it would be a high impact issue.
The fact is there are many outstanding security issues lurking out there in various software products and online websites (and this will always be the case).
Many of these issues will not be reported publicly (until solved) but that does not mean they are not being worked on.
Publicly reporting the issues before the developer/service provider has had ample opportunity to repair is irresponsible.
Conversely it is irresponsible for security experts and the media not to report if there indeed has been ample time to repair.
The balancing act (the topping point) in reporting involves deciding on how much time is enough, and more importanly, how large the security issue is and if any workarounds are available.
This is up to intelligent minds to decide, at both software development companies, so-called security expert/consulting companies, the media and the public at-large.
Woody
-
Thanks, n3td3v ;-)