Twitter and Google Calendar Found Vulnerable to XSS Attacks
A security researcher has detected some security flaws in Google Calendar as well as Twitter that can put users' security at stake. The cross-site scripting (XSS) vulnerability can be easily exploited if a user inserts harmful code to his/her quick add post calendar.
As per Penetration Testing Expert at Avnet Technologies, Nir Goldshlageer, the HTML code injection issue can take a user to a malicious website anytime he views his Google Calendar events, as per the news published by HACKER The Dude on January 1, 2010.
Goldshlageer claimed that the when the victim inserts this harmful code, his session ID and cookies will be stolen and forwarded to the attacker website. He also added that this will enable the attacker to completely take over the victim's Google accounts including Google Groups, Google Calendar account, iGoogle, etc.
The proof of concept released by researcher Nir Goldshlageer showed XSS vulnerabilities in Twitter and Google Calendar.
Twitter released a fix for the flaw on December 30, 2009, as per the reports.
On the other hand, a spokesperson for Google claimed that they do not think that the report has proof of considerable security issues, as per the news published by eWEEK on January 2, 2010.
He further said that trying to dupe someone into imitating unknown, distrustful code into the text field of a Google Calendar is in no way a likely assault vector and is not being seen abused. But they will check the input validation processes in Google Calendar text fields to help evade any misuse of this competence before an occasion is disinfected.
Goldshlageer also showed that HTML code injection flaw can be utilized to sign out a user of his own Google account; something that Google spokesperson claimed to be insignificant from the security aspect and that can simply be prevented by not following the link.
Ultimately, the researcher informed that they should repair this at once as a hacker can take an attacked user to any website that he wishes and can steal victim's session IDs and cookies, as per the news published by BROADBAND DSLreports.com on January 2, 2009.
Related article: Twitter Flaw Compels Victims to Follow Hacker’s Account
» SPAMfighter News - 12-01-2010