Google Blogoscoped

Forum

New XSS Issues

Ionut Alex. Chitu [PersonRank 10]

Friday, March 16, 2007
17 years ago2,511 views

Someone exploited an XSS vulnerability in Google Groups to run a script that obtains your Gmail contact list and does anything with it.

While the post insists on the Gmail contact list, I think the main problem is in Google Groups.

Note: the post actually contains a proof of concept.

http://mybeni.rootzilla.de/mybeNi/2007/gmail_information_disclosure/

TOMHTML [PersonRank 10]

17 years ago #

It seems to be the same hack used by Haochi at the begining of the year

Ionut Alex. Chitu [PersonRank 10]

17 years ago #

Not quite. Haochi used the JS output directly. This time, they used the XML + a Google Groups flaw in parsing URLs.

TOMHTML [PersonRank 10]

17 years ago #

And the flaw is still there. Google Security team is on holiday?

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!