Thursday, May 3, 2007

Google Video Ad Mockups with XSS Potential

Google had several video ad demo pages which looked like non-Google sites, except for their google.com-based domain. The pages aren’t new, but I’ve been told these pages started to rank well in some search results (e.g. in a search for paintball news feed). What’s noteworthy was that some of these page included the full original template of the page they were mocking up – including references to JavaScripts hosted on other servers (like on the Break.com [source] or Car Connection pages)! As these JavaScript files might change their behavior anytime they might also be usable for cross-site scripting – which can allow partial take-over of your Google account – so either the mock-ups had been set up by a Google engineer unaware of cross-site scripting issues, or Google is putting a lot of trust into their partner servers like Break.com (and everyone who works with them). And not just the partner servers, because additionally, some of these pages included JS files hosted on servers outside of the mocked-up domain (the CarConnection.com mock-up included a link to a JS hosted on QuestionMarket.com).

After I alerted Google Security (security@google.com) of this issue last week they fixed it within a couple of days – all video ad mockups have now been removed, and the page reads “Our apologies, but the demos are currently unavailable. Please check back at a later time.”

[Thanks Caleb Schmidt!]

Google Video Ad Mockups w ... by Philipp Lenssen | Comments (0)

>> More posts

Advertisement