To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39153194,00.htm

Google fixes phishing flaw
Adwords vulnerability sorted, say security researchers

By Joris Evers

Published: Tuesday 11 October 2005

Google has fixed a security flaw on its website that opened the door to phishing scams, account hijacks and other attacks, security researchers said on Monday.

The flaw, known as a cross-site scripting vulnerability, existed on the website for Google's AdWords advertising program and a customer training site, according to security company Finjan Software, which discovered the problem.

Attackers could have exploited the flaw to hijack Google accounts, launch phishing scams or even download malicious code onto users' computers, according to Finjan. Phishing scams are designed to trick people into giving up sensitive information such as user names, passwords, credit card details and Social Security numbers.

Finjan informed Google of the bug late last month and the problem was fixed within 30 hours, said Limor Elbaz, a vice president at Finjan, which is headquartered in San Jose, California. "Google's responsiveness was very good," she said.

Google confirmed that it was alerted "a little while ago" and fixed the flaw. A Google representative said in an emailed statement: "No user data was compromised, and we applaud Finjan for following industry best practices for vulnerability disclosure."

The security problem existed because forms on Google's website did not validate and filter data entered into certain fields. This allowed an attacker to inject extra content and scripts that would run on the user's computer, according to Finjan. To take advantage of the flaw, an attacker would have to craft a special web link and trick the user to follow it.

Elbaz said: "The dangerous thing in the case of Google is that the link would look like an innocent Google link."

Cross-site scripting flaws are found regularly. Earlier this year, Finjan spotted a similar bug in Microsoft's Xbox 360 website. The company earlier identified holes in Yahoo!'s web-based email service.

Finjan, which sells products to protect corporate systems against web-based attacks, has tools to scan websites for vulnerabilities. The company regularly puts popular websites to the test. Elbaz said: "We do this to encourage vendors to improve their products."

With the cross-site scripting flaw fixed, Google's website is now deemed secure by Finjan. "We found that the rest of the website is not vulnerable, at least to the cross-site scripting vulnerabilities," Elbaz said. "We will keep following the site."

Earlier this year a security flaw in Google's email service, Gmail, was identified and fixed. The flaw could have allowed attackers to hijack Gmail users' in-boxes.

Joris Evers writes for CNET News.com