February 17th, 2010, 02:58 PM
Google Buzz xss
Just thought i'd mention that Google Buzz thing had a xss flaw.
Here is the string for the flaw.
you will need to "spoof" your user agent string to get it working.
Theres also a fresh write up over at ha.ckers.org
& here's the Original thread over at DG
There’s four things of note here. Firstly it’s on Google’s domain, not some other domain like Google Gadgets or something. So yes, it’s bad for phishing and for cookies. Secondly, it’s over SSL/TLS (so no one should be able to see what’s going on, right?). Third, it could be used to hijack Google Buzz - as if anyone is using that product (or at least you shouldn’t be). And lastly isn’t it ironic that Google is asking to know where I am on the very same page that’s being compromised? Why on earth does Google think its systems are secure enough to trust them with that kind of sensitive information? Yes, bad guys can figure out where you’re located if you allow that function. Chinese dissidents beware! But if you have something to hide, you must be a bad guy
, right, Eric?
I figured that since were on a Security site i may as well start a thread and get some sort of dicussion happening about this.
Last edited by HYBR|D; February 17th, 2010 at 02:59 PM.
Reason: Yeah the hole "Should" be patched by now ;)
By Egaladeist in forum General Computer Discussions
Last Post: October 28th, 2005, 04:49 AM
By ch4r in forum Other Tutorials Forum
Last Post: January 21st, 2005, 01:53 PM
By 3rr0r in forum The Security Tutorials Forum
Last Post: December 1st, 2004, 05:31 AM
By MrLinus in forum Web Security
Last Post: August 7th, 2004, 04:13 PM
By -DaRK-RaiDeR- in forum AntiOnline's General Chit Chat
Last Post: December 22nd, 2002, 06:21 PM
Tags for this Thread