Google Blogoscoped

Friday, September 28, 2007

Google XSS Exploit May Show Some Private Data

In the recent days, an unusually high amount of Google-related security issues have been reported on the web. For instance, one developer was reportedly able to insert a backdoor into Gmail by luring people onto a specially prepared webpage, exposing private data. In not all, but many of these exploits, the problem is that your Google Account cookie can be stolen via so-called cross-site scripting (XSS) attacks; “cross-site”, because the cookie info wanders from (where it’s supposed to be read) to (where it’s not supposed to be read). Basically, such an attack can be executed when someone finds a way to publish their own, free-style HTML/ JavaScript onto any * domain (like Google Calendar, Google Docs, Google Reader, Google News and so on).

Now, co-editor Tony Ruscoe stumbled upon another XSS vulnerability. By posting his specially prepared file of the Google Docs family which exploits a non-standard, incorrect Internet Explorer behavior, and then pushing me as experimental “victim” onto this file by sending me a link I clicked, Tony was able to get a Google Account cookie of mine, as I was previously logged-in to Google. (Tony did not need to point me to a domain of his, I was only accessing Google-hosted content; I did have to use Internet Explorer though, as it didn’t work with Firefox.) Google security has been informed about this vulnerabiliy and we won’t disclose how to reproduce this for now to give Google time to fix it.

Now, here’s what Tony was able to do with the cookie (as opposed to how a real attacker would act, he only did this after I gave him permission, of course):

Here’s what Tony was specifically not able to do:

Below are some of the screenshots Tony took while exploring my Google account:

In other words, this stealing from the cookie jar can be risky for the victim, but it must not be completely dramatic in all cases. Even so, it’s another reminder how the growingly powerful Google Account framework not only offers more power to lazy people (you don’t need to sign-in to Google services over and over), but also more power to abusers. All that’s needed to start most of these attacks is a bug or oversight in one of the many Google services, and a victim who visits a prepared webpage. If you want to be save from this, you can always log-out of your Google account when not using Gmail and other services, and try to not view pages you don’t trust (and try not to follow to pages you may think you trust, but which have been sent to you by non-trusted people).


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!