Site XSSed.com has listed several cross-site scripting vulnerabilities (so-called XSS issues) on Google Web sites.
Case #1 (Google UK), reported 14th Jul: NOTE: causes redirection www.google.co.uk/local_url?q=http:// geocities.com/pinkelephant2k7/owned.html
Case #2 (Browser Sync), reported 14th Jul: NOTE: causes redirection browsersync.google.com/local_url?q=http:// xssed.com
Case #3 (Sketchup), reported 14th Jul: NOTE: causes redirection sketchup.google.com/local_url?q=http:// xssed.com
Case #4 (Picasa), reported 13th Jul: NOTE: causes redirection picasa.google.com/local_url?q=http:// xssed.com
Case #5 (Google Earth), reported 13th Jul: NOTE: causes redirection earth.google.com/local_url?q=http:// xssed.com
Case #6 (Google Desktop), reported 13th Jul: NOTE: causes redirection desktop.google.com/local_url?q=http:// xssed.com
Link to the mirror-type archive of the XSSed.com: http://xssed.com/archive
All of these six issues are unpatched still.
[Unlinked URLs, just to be on the safe side – Tony] |
http://www.google.com/reviews/url?q=http://www.yahoo.com
there is a lot like that, Google is aware about that since a while. |
Thanks for confirming that Google is aware about the issues! |
All those URLs are meant to redirect though. By doing that, Google stops other sites getting PR from links on Google websites (which nearly all have high PR). This doesn't pose any security risk to anyone that I can think of. |
"This doesn't pose any security risk to anyone that I can think of." > ARE YOU SURE? Everybody isn't aware about that kind of "hack". A hacker has just to send by mail an address "...google.com/...[encrypted phising url]" to a newbie Internet user, the guy click and is redirected to a page wich looks like to Google, the poor guy log in and the hacker gets the login and the password.
If there wasn't any security risk, why Google already warns people with that redirection: http://google.com/url?q=http://cnn.com ? |
xs-sniper.com has some good e.g on cross app vectors.
|
Yes, the demo-type link is located here: http://www.xs-sniper.com/nmcfeters/Cross-App-Scripting-2.html |
Thanks for modifying the URLs, Tony. There is no malicious content if user is being redirected to xssed.com, but that's better now, however. |
Technically that's not really XSS, but yeah, as Tom said, there might be potential security for novice users. |
search online you will find dozens of these kind of "hackable" URLs, more than the 6 of Juha-Matti |
Yes, you'll probably find more these kind of URLs! |
Xssed.com reported two new issues on Wednesday:
http://xssed.com/mirror/12663/ The format of the case is:
www.google.com/search? source=www.xssed.com& hl=www.xssed.com& q=www.xssed.com& btnG=www.xssed.com& btnI=www.xssed.com
http://xssed.com/mirror/12479/ The format of the second case is: www.google.gr/local_url?q=http:// bg.org.tr
Both of these are redirection-type issues. URLs modified with extra spaces to make them non-clickable
[URL updated – Tony] |