Google slams the door on XSS flaw

Google has patched a cross-site scripting (XSS) vulnerability in one of its web-hosting services.

If left unpatched, the vulnerability could have allowed hackers to modify third-party Google documents and spreadsheets, and view mail subjects and search history, according to the Google Blogoscoped blog.

Philipp Lenssen, the author of Google Blogoscoped - a third-party site that comments on Google developments - said the vulnerability was similar to another vulnerability in Blogger Custom Domains, reported at the weekend.

He said: "The security hole is connected to an update to a specific Google service which doesn't correctly defend against HTML injections."

According to Lenssen, the earlier Custom Domains vulnerability allowed another Google expert, Tony Ruscoe, to create a page that was hosted on a Google.com domain. Ruscoe was able to prove he could have used code to steal a user's Google cookie and access their Google services.

The second vulnerability, reported by Lensson, would also have enabled a hacker to use JavaScript code to pass cookie data to an external source.

Google UK had not responded to a request for comment at the time of writing.

Tom Espiner writes for ZDNet UK