Results 1 to 5 of 5

Thread: Google XSS, phishing

  1. #1

    Google XSS, phishing

    From bugtraq:

    Description: Google's custom websearch does not prevent javascript from
    being inserted into the url of the image, allowing malicious users to modify
    the content of the google page allowing in phishing attacks, or silently
    steal search terms/results/clicks or modify actual searches to always
    contain controlled results. With Googles trusted status, the risk is almost
    certainly high.
    In IE:

    The exploit has been public for over 2 years, and google have been informed
    on multiple occasions.
    This may not be very harmful except for phishing attacks, but why wouldn't google fix it regardless? Last thing Google needs is a reputation of late bug fixes, considering the expansion of services it is currently going through.

    Hmmmm..... Gmail cookies and XSS? Any possible problems with saved passwords? Gmail doesn't have a /custom interface does it?

  2. #2
    Join Date
    Dec 2002
    And anybody tried gmailnotifier? just the kind of power google got into ur desktops..

    may be google want some bugs to remain, and they can do anything they like saying its a bug

    God is Love

  3. #3
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Beverwijk Netherlands
    Soda, doesn't seem to work on my (win98 IE6) test box..

    I'm not paranoid.. but is this a google flaw or a IE flaw ??
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  4. #4
    Looks like they fixed it, because I can't get it to work anymore, on anything.

  5. #5
    Elite Hacker
    Join Date
    Mar 2003
    You're the man SodaP. Your post caused them to fix it .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts