December 21, 2005 12:22 PM PST
Google plugs 'obscure' phishing holes
- Related Stories
Scammers jingle all the wayDecember 21, 2005
Google phishing scam promises a $400 windfallNovember 8, 2005
Yahoo fixes Web mail security flawOctober 21, 2005
Phishing fight may be paying offOctober 14, 2005
Google fixes Web site security bugOctober 10, 2005
Bug hunters, software firms in uneasy allianceSeptember 6, 2005
Gmail glitch yields access to messagesJanuary 12, 2005
The flaw, known as a cross-site scripting vulnerability, existed because Google did not properly secure its mechanism for two error pages, according to Web security company Watchfire, which discovered the problem. Watchfire posted to a security mailing list an advisory on the issue.
Attackers could exploit the flaw to launch phishing scams or steal a user's credentials, said Ory Segal, director of security research at Watchfire. Phishing scams are designed to trick people into giving up sensitive information such as usernames, passwords, credit card details and Social Security numbers.
"When we looked at the Google site, we saw that they are very good with their Web application security, but it looked like they forgot about this obscure variant of cross-site scripting," Segal said.
Google confirmed that it was alerted "a little while ago" and fixed the flaw. "No user data was compromised and we applaud Watchfire for following industry best practices for vulnerability disclosure," a Google representative said in an e-mailed statement.
The problem existed in the mechanism Google uses to generate error pages for forbidden redirects and pages that don't exist on the Google Web site, according to Watchfire. An attacker could use 7-bit Unicode Transformation Format (UTF-7) characters to exploit the flaw, Watchfire said.
Google was alerted on Nov. 15 and fixed the problem on Dec. 1 by using character encoding enforcement, according to Watchfire. The security company in its advisory commends Google for its cooperation and communication regarding this vulnerability.
Cross-site scripting flaws are found regularly. Earlier this year, Finjan Software spotted a similar bug in Google's Web site as well as Microsoft's Xbox 360 Web site. Such flaws have also been identified in Yahoo's Web-based e-mail service.
Earlier this year, a security flaw in Google's e-mail service, Gmail, was identified and fixed. The flaw could have allowed attackers to hijack Gmail users' in-boxes.