I was able to reproduce the cross-site scripting problem here on Firefox 2, latest stable, and all it took for me was to write a 3-line PHP script, upload it to my server, and adjust the Google URL in question. Then I tested this using two different computers, with different IPs, and was able to steal the cookie and login to Google. (On computer 1, I was logged into my Google Account, and computer 2 had removed all cookies and was thus logged out of Google. After computer 1 accessed the “prepared” Google.com URL, computer 2 received the cookies via email. After reproducing the cookies using the Firefox web developer extension, computer 2 was now logged in to Google with computer 1’s “borrowed” credentials.)
Update: The bug has been fixed – the HTML injection is now correctly defended by Google.
Update 2: I’m following up with more on Google security.
>> More posts