Google Blogoscoped

Tuesday, January 16, 2007

Another Google Hole Uncovered

Hard to believe but true: there’s another vulnerability currently live on Google’s servers, allowing a malicious hacker to point you to a (long) URL... and then receive your cookie data, with which the hacker can access and modify your Google docs and spreadsheets, and view your email subjects & first words, your search history (if enabled) and much more... similar to the previous vulnerability.

I was able to reproduce the cross-site scripting problem here on Firefox 2, latest stable, and all it took for me was to write a 3-line PHP script, upload it to my server, and adjust the Google URL in question. Then I tested this using two different computers, with different IPs, and was able to steal the cookie and login to Google. (On computer 1, I was logged into my Google Account, and computer 2 had removed all cookies and was thus logged out of Google. After computer 1 accessed the “prepared” URL, computer 2 received the cookies via email. After reproducing the cookies using the Firefox web developer extension, computer 2 was now logged in to Google with computer 1’s “borrowed” credentials.)

This particular security hole is connected to an update to a specific Google service which doesn’t correctly defend against HTML injections, leading to the ability to JavaScript-write something which passes cookie data to an external source. I won’t reveal the details here for now and rather give Google time to fix this bug – Haochi of alerted their security team 7 hours ago.

Note that no one can steal your Google cookie using this vulnerability unless they manage to make you visit a specific URL (which may or may not be a URL, e.g. the abuser may use TinyURL), and possibly, this doesn’t work with all browsers. Also note that this vulnerability, to my knowledge, does not expose your full Gmail emails. But if you have sensitive information stored in Google’s services and want to be very safe from this exploit, you can logout of Google, or not visit any URLs you don’t absolutely know and trust (including very long URLs), or disable JavaScript.

[Thanks Haochi, with hat tip to Garett, Tony, and Digg’s G. & A.!]

Update: The bug has been fixed – the HTML injection is now correctly defended by Google.

Update 2: I’m following up with more on Google security.


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!