Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in your inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
Go

Google Expert Draws Similarity Between Two Exploits

There is a cross-site scripting (XSS) vulnerability in one of Google's Web hosting services. The vulnerability is capable of altering third-party Google documents and Excel files as well as viewing e-mail subjects and search past data, said the Google Blogoscoped blog. Google Blogoscoped is a third-party site that gives opinion on Google developments. The company has, however, patched the vulnerability early.

A Google expert, Tony Ruscoe discovered the Google flaw when he was able to steal an individual's cookie and make command on a variety of services on that person's account such as Google Docs and Google Analytics.

Ruscoe posted all the details of the exploit on the blog. The security flaw was connected to a Google feature just released on the blog. In the second week of January 2007, Google was hosting custom domains. Ruscoe noticed that a user had entered "ghs.google.com" as the domain name of his blog.

The writer of Google Blogoscoped, Phillip Lenssen said on January 14, 2007 the vulnerability resembled another flaw in Blogger Custom Domains.

According to Lenssen the Custom Domains flaw enabled Ruscoe to construct a page and host it on a Google.com domain. Ruscoe's actions demonstrated how to use a code to steal Google cookie and intercept Google services of the users. The second vulnerability that Lenssen reported worked similarly by allowing the use of JavaScript code to transmit cookie data to a different party.

A representative of Google said that the company attended to both vulnerabilities adequately. ZDNet published this statement on January 16, 2007. Google was fast in fixing the problems. Within three hours its specialists eliminated the page posted on the Google's servers.

That night they circulated a message thanking for reporting the issue. The company assured that it's serious about the security of their users and pays adequate attention to their complaints or suggestions. The message was to inform that Google addressed the problem immediately and that it took steps to prevent its repetition.

In addition Google invited bug searchers to inform about security issues relating to Google directly to the company, so that they can develop the patches before the general public becomes aware of the flaws.

Related article: Google Rectifies Gmail flaw in Three Days

ยป SPAMfighter News - 22-01-2007

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next