To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39165235,00.htm

Google slams the door on XSS flaw
'Stop cookie thief!'

By Tom Espiner

Published: Wednesday 17 January 2007

Google has patched a cross-site scripting (XSS) vulnerability in one of its web-hosting services.

If left unpatched, the vulnerability could have allowed hackers to modify third-party Google documents and spreadsheets, and view mail subjects and search history, according to the Google Blogoscoped blog.

Philipp Lenssen, the author of Google Blogoscoped - a third-party site that comments on Google developments - said the vulnerability was similar to another vulnerability in Blogger Custom Domains, reported at the weekend.

He said: "The security hole is connected to an update to a specific Google service which doesn't correctly defend against HTML injections."

According to Lenssen, the earlier Custom Domains vulnerability allowed another Google expert, Tony Ruscoe, to create a page that was hosted on a Google.com domain. Ruscoe was able to prove he could have used code to steal a user's Google cookie and access their Google services.

The second vulnerability, reported by Lensson, would also have enabled a hacker to use JavaScript code to pass cookie data to an external source.

Google UK had not responded to a request for comment at the time of writing.

Tom Espiner writes for ZDNet UK