-
October 19th, 2004, 06:58 PM
#1
Google XSS, phishing
From bugtraq:
Description: Google's custom websearch does not prevent javascript from
being inserted into the url of the image, allowing malicious users to modify
the content of the google page allowing in phishing attacks, or silently
steal search terms/results/clicks or modify actual searches to always
contain controlled results. With Googles trusted status, the risk is almost
certainly high.
In IE:
http://www.google.com/custom?cof=L:j...39;SodaP')
The exploit has been public for over 2 years, and google have been informed
on multiple occasions.
This may not be very harmful except for phishing attacks, but why wouldn't google fix it regardless? Last thing Google needs is a reputation of late bug fixes, considering the expansion of services it is currently going through.
Hmmmm..... Gmail cookies and XSS? Any possible problems with saved passwords? Gmail doesn't have a /custom interface does it?
-
October 21st, 2004, 12:21 PM
#2
Member
And anybody tried gmailnotifier? just the kind of power google got into ur desktops..
may be google want some bugs to remain, and they can do anything they like saying its a bug
Sun
-
October 21st, 2004, 12:55 PM
#3
Soda, doesn't seem to work on my (win98 IE6) test box..
I'm not paranoid.. but is this a google flaw or a IE flaw ??
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
October 21st, 2004, 03:38 PM
#4
Looks like they fixed it, because I can't get it to work anymore, on anything.
-
October 21st, 2004, 03:42 PM
#5
You're the man SodaP. Your post caused them to fix it .
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|