GoogHOle Exploits GMail, Picasa and 200K Other Sites

Giorgio Maone writes "Multiple Google-targeted exploits disclosed in the past 3 days could compromise your GMail account, steal your pictures from Picasa or impersonate you on almost 200,000 big sites which outsourced their search engines (vulnerabilities included in the price). If even Google, a very reactive company when web security matters, does face this kind of problems, how serious is the threat and what can you do, as a "normal" web user, to protect yourself?"

If you run Firefox, install NoScript plugin

[elwinc]

According to the article, exploint uses Cross-site scripting, also known as XSS. There is a firefox plugin called NoScript that limits cross site scripts. The article points you to http://noscript.net/features#xss which describes the anti-XSS protection of noscript. The noscript pages suggests that you only load firefox plugins from addons.mozilla.org and sends you to https://addons.mozilla.org/en-US/firefox/addon/722 where you can download noscript.

Re:Very few details.

what I can do to protect myself Stay signed out of Google. Go to www.igoogle.com and if you see your name in the upper right, click Sign Out. The vulnerability comes from users surfing the web and clicking on a malicious link while being signed into Google.

If you need to check your mail or use another of the Google suite, close all other tabs/windows and then sign in. Don't do random browsing at the same time for now.

Re:How many work on Linux

[thatskinnyguy]

An exploit like this would certainly work with Linux if the right conditions exist. Have a Gmail account? Scripts enabled in Firefox? Yep. Could work on Linux.