- Related Stories
-
Scammers jingle all the way
December 21, 2005 -
Google phishing scam promises a $400 windfall
November 8, 2005 -
Yahoo fixes Web mail security flaw
October 21, 2005 -
Phishing fight may be paying off
October 14, 2005 -
Google fixes Web site security bug
October 10, 2005 -
Bug hunters, software firms in uneasy alliance
September 6, 2005 -
Gmail glitch yields access to messages
January 12, 2005
The flaw, known as a cross-site scripting vulnerability, existed because Google did not properly secure its mechanism for two error pages, according to Web security company Watchfire, which discovered the problem. Watchfire posted to a security mailing list an advisory on the issue.
Attackers could exploit the flaw to launch phishing scams or steal a user's credentials, said Ory Segal, director of security research at Watchfire. Phishing scams are designed to trick people into giving up sensitive information such as usernames, passwords, credit card details and Social Security numbers.
"When we looked at the Google site, we saw that they are very good with their Web application security, but it looked like they forgot about this obscure variant of cross-site scripting," Segal said.
Google confirmed that it was alerted "a little while ago" and fixed the flaw. "No user data was compromised and we applaud Watchfire for following industry best practices for vulnerability disclosure," a Google representative said in an e-mailed statement.
The problem existed in the mechanism Google uses to generate error pages for forbidden redirects and pages that don't exist on the Google Web site, according to Watchfire. An attacker could use 7-bit Unicode Transformation Format (UTF-7) characters to exploit the flaw, Watchfire said.
In an attack, the target would click on a malicious link or visit a specially crafted Web page, Segal said. "You would then see the Google error page in your browser and with that message also receive malicious JavaScript code planted in the link," he said. Because the code is coming from Google, it can access data such as Google cookies, he said.
Google was alerted on Nov. 15 and fixed the problem on Dec. 1 by using character encoding enforcement, according to Watchfire. The security company in its advisory commends Google for its cooperation and communication regarding this vulnerability.
Cross-site scripting flaws are found regularly. Earlier this year, Finjan Software spotted a similar bug in Google's Web site as well as Microsoft's Xbox 360 Web site. Such flaws have also been identified in Yahoo's Web-based e-mail service.
Earlier this year, a security flaw in Google's e-mail service, Gmail, was identified and fixed. The flaw could have allowed attackers to hijack Gmail users' in-boxes.
See more CNET content tagged:
Watchfire, phishing, flaw, XSS, Google Inc.
http://groups.google.com/group/n3td3v/browse_thread/thread/64a322968d71fe3b
http://groups.google.com/group/n3td3v/browse_thread/thread/4401b8530e56cca7/8d6a60934e98fc9d?lnk=raot#8d6a60934e98fc9d