Google Has Fixed Website Vulnerability Which Exposed Google Users to Identity Theft
Security company, Finjan, informed Google last week of a dangerous cross site scripting vulnerability on its website.
“The cross site scripting vulnerability could have allowed a remote attacker to take over victims’ Google Accounts, or fake the website’s content in order to deceive end users into downloading malicious content or providing personal and confidential information (known as ‘phishing’)”, said Limor Elbaz, VP Business Development and Strategy of Finjan.
Two Google sub-sites contained forms which did not validate and filter input. Due to the lack of data validation and filtering, this vulnerability could have allowed an attacker to inject content and scripts which could allow him to steal the victim’s cookie. If the victim were to be logged-on to their Google Account at the time, the attacker, by virtue of having the victim’s cookie, could have gained access to some of the Google services like the victim’s personal account information, his/her saved searches, Froogle’s wish list, Google alerts, or even identify the user in the Google Groups. The attacker might also have been able to change the content of the whole page, which would allow him to perform phishing attacks, or convince the user to download malicious files.
In late September, Finjan’s Malicious Code Research Center (MCRC) provided Google with full technical details, including proof-of-concept, concerning the vulnerability in order to assist Google with the fix. Google worked quickly to complete the fix on its website, which is no longer exposed to this vulnerability.