Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Google Businesses The Internet

Cross Site Scripting Discovered in Google 158

Posted by CmdrTaco from the hate-when-that-happens dept.
Security Test writes "Yair Amit posted a message early this morning to The Web Security Mailing List outlining a Cross Site Scripting flaw in Google that allows an attacker to carry out Phishing Attacks."
This discussion has been archived. No new comments can be posted.

Cross Site Scripting Discovered in Google More

Cross Site Scripting Discovered in Google

Comments Filter:

  • What bullshit... (Score:3, Interesting)

    by ninja_assault_kitten ( 883141 ) on Wednesday December 21, 2005 @11:27AM (#14309160)
    Now we're going to start posting every freaking XSS we find? This is a VERY low impact XSS vul. Hell it's not even persistent. Who freaking cares? Are we going to post the slew of recent Yahoo XSS bugs too? WHat about the bug in Google Analytics which allowed you to iterate through all the customer domains?

  • Could have been announced 3 weeks ago too. (Score:4, Interesting)

    by kawika ( 87069 ) on Wednesday December 21, 2005 @11:28AM (#14309167)
    If there ever was an endorsement for web-based applications, this is it. When a bug is fixed in Windows or Linux, it stays active in the wild for months or years because many users don't update. With web apps the user basically gets an "update" each time they visit the site. If Google fixed the problem on December 1, the vulnerability could have been announced the same day without any kind of negative impact.

  • Advantage of online applications (Score:5, Interesting)

    by G4from128k ( 686170 ) on Wednesday December 21, 2005 @11:31AM (#14309188)
    This example illustrates the advantages of web applications. Google was able to patch the flaw and roll it out to 100% of the user base in a short time period. Providing applications online means centralized version control and patching -- there's no waiting for all the users to patch.


    The downside is that this only works if the app provider is a proprietary vendor with a closed architecture. If 3rd parties are allowed to create extensions or if users can create their own utilities/add-ons then centralized patching would likely introduce the same types of incompatibilities and breakages that current OS patches can introduce. Worse, centralized control might mean that users have no choice but to live with the patched version.

  • This is amazing. (Score:5, Interesting)

    by dada21 ( 163177 ) * <adam.dada@gmail.com> on Wednesday December 21, 2005 @11:32AM (#14309201) Homepage Journal
    I'm always blown away by how the Internet security market works and self-correct itself without any regulation.

    A major web site has a flaw. White hat and black hat "hackers" find that flaw, exploit it, and either abuse it or let the web site know about it. The web programmers go in and close the exploit because it affects how their customers use the service and could open them up to some liability.

    This is the way the free market works. I'm a huge fan of how quickly the Internet (anthropomorphically) adapts to the changing needs of the billion of users. Some exploits that aren't fixed by the owners of code are fixed by third parties -- sometimes for profit and sometimes for free. Before we can even write one law to attempt to solve problems, others are already attacking the problems.

    I'd like to see it stay this way. Every time we move forward to create legislation to protect the end user (see CAN-SPAM and a myriad of other laws), we see failure time and again. The loopholes in the laws make them irrelevant quickly, and all we get out of that is wasted money and wasted time.

    Let the growth and expansion occur freely. We'll see some bad times (new viruses and new spam exploits) but we'll see those fixed in short order. If they don't get fixed, why is the Internet still chugging along and growing every day?

  • Cross-Site Scripting for Internet Explorer (Score:5, Interesting)

    by Anonymous Coward on Wednesday December 21, 2005 @11:48AM (#14309352)

    This is reported as a Google.com bug, which is partially true. But this is only one half of the problem. The other half of the problem (mentioned in the full article) is due to a dubious feature in Internet Explorer: when it gets a page without a specified character encoding, it does not rely on default values for the encoding (which should be iso-8859-1 for HTML or UTF-8 for XHTML).

    Instead, Internet Exploerer tries to guess the encoding of the contents by looking at the first 4096 bytes of the page and checking the non-ASCII characters. In the case of the cross-site scripting attack decribed here, the problem is that IE would silently set the encoding of a page to UTF-7 in case some characters in the first 4096 bytes looked like UTF-7. This silent conversion to UTF-7 by Internet Explorer in a text that Google assumed to use the default encoding allowed the attackers to bypass the way Google was filtering "dangerous" characters in some URLs.

    The article puts the full blame for the vulnerability on Google.com. I think that a part of the blame should also be shared by the Internet Explorer designers (and any other browser that does unexpected things while trying to guess what the user "really meant").

  • Cookies (Score:3, Interesting)

    by kernelfoobar ( 569784 ) on Wednesday December 21, 2005 @12:23PM (#14309683)
    I don't know if it's related, but I've noticed a couple of times that when I get the search result page, I get asked to set a cookie from one of the sites in the results, without clicking on them. (my Firefox is configured to ask me to set cookies.). This is somewhat disturbing, I mean if my FF was set to accept cookies automatically, I would have cookies for sites I have never visited...

    Did anyone else notice this?

  • OT: date format (Score:2, Interesting)

    by higuita ( 129722 ) on Wednesday December 21, 2005 @02:35PM (#14310817) Homepage
    12/01/2005

    No offence but i think that this US format is plain stupid... really...

    Is that 12 of january or 1 of december? its a format that have several possible intepretations and without any logic (middle time scale/low/high !?!)

    I can understand very well the 2005/12/01 and the 01/12/2005 (i prefer the first, specially in computers, but last is better for reading on paper) but the mixed US format is wierd and dangerous...

    Most of the time looks like you must guess the correct date.

    so why dont the US kill this stupid format?

  • Re:bzzzt. (Score:3, Interesting)

    by slashkitty ( 21637 ) on Wednesday December 21, 2005 @02:46PM (#14310916) Homepage
    if you put this on a site you trust it is, and other have access to it. One can pass a link that contains a script, which could do all sorts of things. It can load up pages on the site and perform actions, steal cookies and information on the site, or present full pages of information that look like a regular page on the site, which is very usuful in phishing attacks.

    In an earlier XSS exploit, I wrote a javascript that could be injected into a citibank site. It would automatically go through the ENTIRE money transfer process, including confirmations. (It was not used on other people of course, and they shut down that site evetually) Other examples I have made included fake articles on NYTimes site and stolen cookies from microsoft.com

Slashdot Top Deals

Beware of Programmers who carry screwdrivers. -- Leonard Brandwein

Close