Several Google cross-site scripting issues reported

Forum

Several Google cross-site scripting issues reported
Juha-Matti Laurio	Sunday, July 15, 2007 17 years ago • 2,814 views
Site XSSed.com has listed several cross-site scripting vulnerabilities (so-called XSS issues) on Google Web sites. Case #1 (Google UK), reported 14th Jul: NOTE: causes redirection www.google.co.uk/local_url?q=http:// geocities.com/pinkelephant2k7/owned.html Case #2 (Browser Sync), reported 14th Jul: NOTE: causes redirection browsersync.google.com/local_url?q=http:// xssed.com Case #3 (Sketchup), reported 14th Jul: NOTE: causes redirection sketchup.google.com/local_url?q=http:// xssed.com Case #4 (Picasa), reported 13th Jul: NOTE: causes redirection picasa.google.com/local_url?q=http:// xssed.com Case #5 (Google Earth), reported 13th Jul: NOTE: causes redirection earth.google.com/local_url?q=http:// xssed.com Case #6 (Google Desktop), reported 13th Jul: NOTE: causes redirection desktop.google.com/local_url?q=http:// xssed.com Link to the mirror-type archive of the XSSed.com: http://xssed.com/archive All of these six issues are unpatched still. [Unlinked URLs, just to be on the safe side – Tony]
TOMHTML	17 years ago #
http://www.google.com/reviews/url?q=http://www.yahoo.com there is a lot like that, Google is aware about that since a while.
Juha-Matti Laurio	17 years ago #
Thanks for confirming that Google is aware about the issues!
Martin Porcheron	17 years ago #
All those URLs are meant to redirect though. By doing that, Google stops other sites getting PR from links on Google websites (which nearly all have high PR). This doesn't pose any security risk to anyone that I can think of.
TOMHTML	17 years ago #
"This doesn't pose any security risk to anyone that I can think of." > ARE YOU SURE? Everybody isn't aware about that kind of "hack". A hacker has just to send by mail an address "...google.com/...[encrypted phising url]" to a newbie Internet user, the guy click and is redirected to a page wich looks like to Google, the poor guy log in and the hacker gets the login and the password. If there wasn't any security risk, why Google already warns people with that redirection: http://google.com/url?q=http://cnn.com ?
/pd	17 years ago #
xs-sniper.com has some good e.g on cross app vectors.
Juha-Matti Laurio	17 years ago #
Yes, the demo-type link is located here: http://www.xs-sniper.com/nmcfeters/Cross-App-Scripting-2.html
Juha-Matti Laurio	17 years ago #
Thanks for modifying the URLs, Tony. There is no malicious content if user is being redirected to xssed.com, but that's better now, however.
Haochi	17 years ago #
Technically that's not really XSS, but yeah, as Tom said, there might be potential security for novice users.
TOMHTML	17 years ago #
search online you will find dozens of these kind of "hackable" URLs, more than the 6 of Juha-Matti
Juha-Matti Laurio	16 years ago #
Yes, you'll probably find more these kind of URLs!
Juha-Matti Laurio	16 years ago #
Xssed.com reported two new issues on Wednesday: http://xssed.com/mirror/12663/ The format of the case is: www.google.com/search? source=www.xssed.com& hl=www.xssed.com& q=www.xssed.com& btnG=www.xssed.com& btnI=www.xssed.com http://xssed.com/mirror/12479/ The format of the second case is: www.google.gr/local_url?q=http:// bg.org.tr Both of these are redirection-type issues. URLs modified with extra spaces to make them non-clickable [URL updated – Tony]

Forum home

>> More posts

Blog | Forum more >> Archive | Feed | Google's blogs | About

This site unofficially covers Google™ and more with some rights reserved. Join our forum!