[ISN] Google plugs security holes in Web site
InfoSec News
isn at c4i.org
Tue Dec 27 08:19:02 UTC 2005
http://www.networkworld.com/news/2005/122205-google-holes.html
By Elizabeth Montalbano
IDG News Service
12/22/05
Google has patched security flaws in its Web site that would have
exposed users to phishing and other attacks designed to steal account
information, according to security researchers.
Researchers at risk management software company Watchfire posted an
advisory this week about the flaws, which are called XSS, or
cross-site scripting, vulnerabilities. These types of vulnerabilities
leave a site open to various attacks, such as account hijacking,
changing of user settings, cookie theft/poisoning or false
advertising.
The advisory for the flaws can be found here [1].
The possibility for attacks at www.google.com was present when users
encountered two different error pages, the "404 not found" error
message and a Web-site redirection error message.
Google did not properly secure these pages, which exposed users to
possible attack by exploiting the 7-bit Unicode Transformation Format
character-encoding mechanism, according to Watchfire.
The company corrected the flaws by using character-encoding
enforcement, according to Watchfire.
Google was not immediately available for comment Thursday.
[1] http://www.watchfire.com/securityzone/advisories/12-21-05.aspx
More information about the ISN
mailing list