Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross Site Scripting Discovered in Google

Posted by CmdrTaco on from the hate-when-that-happens dept.

Security Test writes "Yair Amit posted a message early this morning to The Web Security Mailing List outlining a Cross Site Scripting flaw in Google that allows an attacker to carry out Phishing Attacks."

4 of 158 comments (clear)

  1. Re:but this was resolved three weeks ago. by mwvdlee · · Score: 4, Insightful

    It's considered good practice to report security issues to the responsible parties in order to give them sufficient time to fix the problem well before disclosing it to the public .

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  2. Re:Javascript is a security problem? by Billosaur · · Score: 4, Insightful
    That's right, disable js and fix the web!

    And then what happens to AJAX?

    JavaScript is not the issue; the issue is sites/providers not treating data from the "real world" as suspect and doing a rigorous examination of it before allowing it in or executing anything based on it. When I'm writing Perl CGIs that are accessible from outside my system, I always have the taint mode (-T) switch enabled. You have to be suspicious of data coming in and treat it as radioactive until you can verify its integrity.

    --
    GetOuttaMySpace - The Anti-Social Network
  3. Re:Could have been announced 3 weeks ago too. by b1t+r0t · · Score: 4, Insightful
    If there ever was an endorsement for web-based applications, this is it. When a bug is fixed in Windows or Linux, it stays active in the wild for months or years because many users don't update. With web apps the user basically gets an "update" each time they visit the site.

    This is great when there is only one site to update. But when everybody is running their own copy of the web app on their web server, you get problems like the recent epidemic of PHP-based bulletin board exploits.

    --

    --
    "Open source is good." - Steve Jobs
    "Open source is evil." - Microsoft
  4. Google vulnerable? by Anonymous+Cowhead · · Score: 5, Insightful

    It seems odd to blame this on Google. According to the linked mailing list posting, the problem is caused by the "auto detect character set" feature in IE (and probably other browsers,) and the lack of a "charset" parameter in the HTTP response from Google. The HTTP spec is pretty clear that a missing charset parameter means ISO-8859-1, not "browser should guess", and certainly not UTF-7.

    So isn't it really the "auto detect" feature in the browser that causes the vulnerability, and not Google's lack of "charset encoding enforcement" as the mailing list posting from Watchfire Research claims? Let's put the blame where it belongs. I say we should applaud Google for going the extra kilometer to protect users with non-compliant browsers.