Google has fixed a security flaw that had opened the door to phishing scams, account hijacks and other attacks, security researchers said Wednesday.
The flaw, known as a cross-site scripting vulnerability, existed because Google did not properly secure its mechanism for two error pages, according to Web security company Watchfire, which discovered the problem. Watchfire posted to a security mailing list an advisory on the issue.
Attackers could exploit the flaw to launch phishing scams or steal a user's credentials, said Ory Segal, director of security research at Watchfire. Phishing scams are designed to trick people into giving up sensitive information such as usernames, passwords, credit card details and Social Security numbers.
"When we looked at the Google site, we saw that they are very good with their Web application security, but it looked like they forgot about this obscure variant of cross-site scripting," Segal said.
Google confirmed that it was alerted "a little while ago" and fixed the flaw. "No user data was compromised and we applaud Watchfire for following industry best practices for vulnerability disclosure," a Google representative said in an e-mailed statement.
The problem existed in the mechanism Google uses to generate error pages for forbidden redirects and pages that don't exist on the Google Web site, according to Watchfire. An attacker could use 7-bit Unicode Transformation Format (UTF-7) characters to exploit the flaw, Watchfire said.
In an attack, the target would click on a malicious link or visit a specially crafted Web page, Segal said. "You would then see the Google error page in your browser and with that message also receive malicious JavaScript code planted in the link," he said. Because the code is coming from Google, it can access data such as Google cookies, he said.
Google was alerted on Nov. 15 and fixed the problem on Dec. 1 by using character encoding enforcement, according to Watchfire. The security company in its advisory commends Google for its cooperation and communication regarding this vulnerability.
Earlier this year, a security flaw in Google's e-mail service, Gmail, was identified and fixed. The flaw could have allowed attackers to hijack Gmail users' in-boxes.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
<a class="jive-link-external" href="http://groups.google.com/group/n3td3v/browse_thread/thread/64a322968d71fe3b" target="_newWindow">http://groups.google.com/group/n3td3v/browse_thread/thread/64a322968d71fe3b</a>
<a class="jive-link-external" href="http://groups.google.com/group/n3td3v/browse_thread/thread/4401b8530e56cca7/8d6a60934e98fc9d?lnk=raot#8d6a60934e98fc9d" target="_newWindow">http://groups.google.com/group/n3td3v/browse_thread/thread/4401b8530e56cca7/8d6a60934e98fc9d?lnk=raot#8d6a60934e98fc9d</a>