Google Expert Draws Similarity Between Two Exploits
There is a cross-site scripting (XSS) vulnerability in one of Google's Web hosting services. The vulnerability is capable of altering third-party Google documents and Excel files as well as viewing e-mail subjects and search past data, said the Google Blogoscoped blog. Google Blogoscoped is a third-party site that gives opinion on Google developments. The company has, however, patched the vulnerability early.
A Google expert, Tony Ruscoe discovered the Google flaw when he was able to steal an individual's cookie and make command on a variety of services on that person's account such as Google Docs and Google Analytics.
Ruscoe posted all the details of the exploit on the blog. The security flaw was connected to a Google feature just released on the blog. In the second week of January 2007, Google was hosting custom domains. Ruscoe noticed that a user had entered "ghs.google.com" as the domain name of his blog.
The writer of Google Blogoscoped, Phillip Lenssen said on January 14, 2007 the vulnerability resembled another flaw in Blogger Custom Domains.
A representative of Google said that the company attended to both vulnerabilities adequately. ZDNet published this statement on January 16, 2007. Google was fast in fixing the problems. Within three hours its specialists eliminated the page posted on the Google's servers.
That night they circulated a message thanking for reporting the issue. The company assured that it's serious about the security of their users and pays adequate attention to their complaints or suggestions. The message was to inform that Google addressed the problem immediately and that it took steps to prevent its repetition.
In addition Google invited bug searchers to inform about security issues relating to Google directly to the company, so that they can develop the patches before the general public becomes aware of the flaws.
Related article: Google Rectifies Gmail flaw in Three Days
» SPAMfighter News - 22-01-2007