News

Google Cross-Site Scripting Flaw Fixed

By the Betanews Staff | Published December 21, 2005, 5:00 PM

Google has fixed a cross-site scripting vulnerability on its Web site, according to security firm Watchfire. The flaw allowed an attacker to impersonate legitimate Google services in order to launch a phishing attack. The search engine applauded the firm for withholding disclosure until it could fix the problem.

The XSS flaw existed in how Google redirected users in its error pages. An attacker could use UTF-7 characters to take advantage of the vulnerability and insert malicious JavaScript into the URL, the firm said. According to Watchfire, Google fixed the problem on December 1, just two weeks after it had been alerted to the problem.

Comments

View comments by with a score of at least

daint
Dec 23, 2005 - 3:10 AM

Exactly bbfc,

mm/dd/yy is like doing the time mm/hh/ss

Amercians, remember your roots :)

Score: 0

|
Post Reply
bbfc
Dec 22, 2005 - 7:55 PM

dd/mm/yyyy makes more sense than mm/dd/yyyy.

Bloody Americans! :p

Score: 0

|
Post Reply
Kramy
Dec 21, 2005 - 5:32 PM

And I must leap onto the MS bashing bandwagon!...

----- Link File Vulnerability -----
Found: Windows 95 (did 3.1 have links?)
Fixed(mostly): Windows XP Sp2

That's only around a decade. Speedy performance, by comparison.

Score: 0

|
Post Reply
PC_Tool
Dec 22, 2005 - 10:43 AM

Internesting how that bandwagon didn't exist in this thread 'til you showed up.

How thoughtful of you.

Score: 0

|
Post Reply
PC_Tool
Dec 21, 2005 - 5:19 PM

--[ Discovery Date: 15/11/2005
--[ Initial Vendor Response: 15/11/2005
--[ Issue solved: 01/12/2005

Note, this is using that back-asswards UK date format of dd/mm/yyyy.

Found Nov. 15th.

Solved Dec. 1st.

Not bad...not bad at all.

Score: 0

|
Post Reply
No Beer For You
Dec 21, 2005 - 5:54 PM edited

back-asswards???

It's you that is back-asswards Jeez... :)

Score: 0

|
Post Reply
PC_Tool
Dec 22, 2005 - 9:07 AM

Sorry, I'll include the [humor] tag from now on for those of you a little slow to catch on.

Score: 0

|
Post Reply

Google Chrome 4: Yes, it's fast, but is it usable?

As Betanews readers have responded to our stories about Chrome's JavaScript superiority...Does that mean we'd actually use this browser? Well...

Video: Netflix on PlayStation 3

Netflix has come to the PlayStation 3 via Blu-ray and BD-Live.

Verizon Wireless launches new Android, Chocolate, and ruggedized phones

The lower-priced Eris joins the Droid, while the Chocolate gets a touchscreen and more music playback.

Early sales figures for Windows 7 nicely high, but do we know why?

Fans of triple-digit surges in figures quoted by Betanews will love this one, as it appears Microsoft rediscovered how to pull off a software launch.

Myka announces its latest Linux-based 'net top box'

Myka's ION brings Boxee, XMBC, and much more to HDTVs.

What hath Mac wrought? A remembrance after a quarter-century

The reason there's a Macintosh today is not because of some brilliant flash of engineering genius, but because Apple had the audacity to learn from its mistakes.

Early build of Moblin 2.1 improves connectivity, but not device support

The Linux Foundation's Atom-centric OS yesterday received a major overhaul with the project release of Moblin 2.1 for netbooks and nettops.

The iPhone's China syndrome: Sales of 5,000 and climbing

There's actually a country where Apple's device is not a godsend, where sales can be measured in the dozens.

New European counterpart to FCC will ensure 'a more neutral net'

Late Thursday night, the ruling telecom administrators of the EU's member nations signed away their final authority to a new entity overseen by the EC.

Sophos study suggests Windows 7 UAC's default setting is self-defeating

Without any anti-virus installed, a Sophos test showed, User Account Control was only capable of thwarting just one malware package out of ten samples chosen.

Indiscreet tweet trips awareness of Web SSL vulnerability

A group of high-level security engineers had been making progress on thwarting a low-level threat to the Web, until somebody blurted it all out on Twitter.