Cross Site Scripting Discovered in Google

Security Test writes "Yair Amit posted a message early this morning to The Web Security Mailing List outlining a Cross Site Scripting flaw in Google that allows an attacker to carry out Phishing Attacks."

but this was resolved three weeks ago.

[Artifex]

From TFA:

-[ Solution

Google solved the aforementioned issues at 01/12/2005, by using=20
character encoding enforcement.

--[ Acknowledgement

The author would like to commend the Google Security Team for their=20
cooperation and communication regarding this vulnerability.

Re:but this was resolved three weeks ago.

[Pinky3]

"Google solved the aforementioned issues at 01/12/2005, by using
character encoding enforcement."

12/01/2005 for those in the US.

Re:but this was resolved three weeks ago.

[Artifex]

I prefer 01-12-2005 for logfile names, so in a directory list, they appear by date even when sorting by name.

Unless you cross a year in your directory, like logs going from September, 2004, to August, 2005. :) I've found YYYY-MM-DD to be the easiest way to ensure chronological consistency.

It's been fixed

[b4k3d+b34nz]

Although the article details an interesting exploit, Google fixed this on the 1st of this month--The title is somewhat misleading. It is useful to know that Google fixed this vulnerability 2 weeks after it was discovered, on November 15th.

Also, for those of us unaccustomed to DD/MM/YYYY date format, that's the format of all dates in the article.

Re:Hmm

[op12]

From the message:

--[ Discovery Date: 15/11/2005
--[ Initial Vendor Response: 15/11/2005
--[ Issue solved: 01/12/2005

Message posted: 21/12/2005

They did give them a chance to fix it first.

Others..

[slashkitty]

They've had others in the past, but were quick to fix them. They have even sent t-shirts as thanks for the help. Other sites are not so friendly or fast. This site shows active security holes in various sites that have gone unresolved. (CSS, insecure logins, etc)

Re:Others..

[openSoar]

Not long after GMail was launched I inadvertently discovered a serious issue they had with some over-aggressive caching - sometimes when people in the same office as me logged onto their Gmail accounts they would see my Inbox - quite worrying, although they weren't able to actually open any of the messages.

I spent quite some time explaining things to the GMail devs but no freebies for me..

Re:Others..

[Bogtha]

They've had others in the past, but were quick to fix them.

Not true. Google ignored a security hole for two years and don't understand Javascript well enough to fix it properly.

Javascript is a security problem?

Noooo, say it ain't so, Who'd 'a thunk it?

I turned javascript off in 1999, just one less glaring security issue for me to address. Before anyone starts talking smack about responsive web apps, just remind me what Ed Felton said about flying pigs.

That's right, disable js and fix the web!

Re:Javascript is a security problem?

[tuffy]

Rather than turn off JavaScript entirely, I use the NoScript extension to turn it off everywhere but on the sites I allow. The only adjustment needed was to turn off the "NoScript has blocked JavaScript" message in the extension options since it occured so frequently.

XSS in my banks website

[thr0n]

I told them about the XSS (CSS) security holes 2 months ago -
response was something like: "We will work on it; or we wont - but we wont tell you ;)".
Which sucks...

Here we go:

Original:
https://www.vr-ebanking.de/index.php?RZBK=0280
MY Version (XSS):
https://www.vr-ebanking.de/help;jsessionid=XA?Acti on=SelectMenu&SMID=EigenesOrderbuch&MenuName=&Init Href=http://www.consti.de/secure
/Fälschung --> Imitation /

... Hope they change their mind, sometime. :)

Consti / thr0n

Another Beatles Beatles

[Phosphor3k]

Someone is trying to get their Pagerank up by submitting the story with a name of "Security Test" and linking to their shoddy website. The site has only a few links, no content, and it says the page is for sale. Will slashdot ever get their shit together and stop posting submissions with blatent pagerank-whoring links like this?

Re:Encoded post..

Does anyone have the real post that hasn't been mangled by the mailing list? What are these characters that they used? Does anyone have a working exploit of this type (encoded xss) on another site?

I think that the authors of the report did the responsible thing in informing Google first, waiting until the problem was fixed (within a reasonable amount of time) and then describing the vulnerability without providing an exploit.

The message gives enough clues about how to create an exploit, though. You just have to know a bit about the UTF-7 encoding. Hint: this is not the same as UTF-8 or iso-8859-1. Once you know that, think about how one could fool a filter that is trying to remove "dangerous" characters from a text, knowing that the filter expects these characters to be encoded in iso-8859-1, while they are interpreted by the browser as UTF-7. Second hint: think about how a single character is encoded in multiple characters and how the bit shifting is done. Your goal in this case would be to encode some text in such a way that the filter expecting the default encoding would only see garbage, while the browser decoding the same text as UTF-7 would see something like "<script ...>". Writing the exploit is left as an exercise to the reader.

Re:How do they find these things . . . legally?

[slashkitty]

Well, with XSS, you don't have to "break into" anything to discover the vulnerability. All you do is throw the webservers a few strings and see what they send back.

I've found dozens of XSS problems on sites, and have made news for one on Citibank. I've only received a few threatening legal letters from companies.

Re:Cookies

[aziraphale]

Sounds like preloading.

Firefox (and other Mozilla derivatives) support a preloading link. When they encounter such a link in one page, they begin downloading the content for the linked page, so they have it ready. Google assumes that you're reasonably likely to click on the first link they've sent you for some types of search result (probably where there's a very high search ranking for one particular site for the term you searched for), so sends Mozilla/firefox users a preload warning along with the search result page, with the URL of the first search result page. Firefox does its thing and starts downloading the page content for the first search result before you even click on it - including any cookies.

Re:OT: date format

[amliebsch]

Most of the time looks like you must guess the correct date.

No, it is a de-facto standard in this country. That is the way dates virtually all dates are written, so there is not often confusion. For international compatibility, we use named months or the ISO format. The U.S. military, for example, has standardized on YYYYMMDD (and HHMM, obviously).

Incidentally, it's not entirely without logic. The order of the numbers matches the way we usually talk, i.e., ("December Twenty-First, Two-thousand and five"). Except for the the holiday colloquially known as the "4th of July," the vast majority of people say it in the format, "month day, year." Whether the written or oral ordering of the date this way came first, or simultaneously, I do not know, but it is at least consistent.