Google Blogoscoped

Tuesday, November 22, 2005

Google Base Security Hole

Jim Ley says there was a XSS (cross-site scripting) security hole in Google Base:

“Google Base arrived recently, sharing the same domain as gmail, so cross site security holes in Google Base will allow access to all the gmail emails, as well as XSS phishing attacks using the google brand. Of course as you would expect for a new product from a major internet company, thereĀ’d obviously been no security testing [whatsoever] and there were trivially obvious XSS holes in it. (...)

[T]he incompetent google base programmer had simply taken a parameter from the querystring, and written it unencoded into the document”

Jim adds the security hole was fixed within some hours after he alerted Google, and says he did not receive any reply from Google so far.

[Via Danny Sullivan.]


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!