Print this article | E-mail this article | Comment on this article

Google Cross-Site Scripting Flaw Fixed

By BetaNews Staff, BetaNews

December 21, 2005, 5:00 PM

Google has fixed a cross-site scripting vulnerability on its Web site, according to security firm Watchfire. The flaw allowed an attacker to impersonate legitimate Google services in order to launch a phishing attack. The search engine applauded the firm for withholding disclosure until it could fix the problem.

The XSS flaw existed in how Google redirected users in its error pages. An attacker could use UTF-7 characters to take advantage of the vulnerability and insert malicious JavaScript into the URL, the firm said. According to Watchfire, Google fixed the problem on December 1, just two weeks after it had been alerted to the problem.

Add a Comment (7 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

By daint

posted Dec 23, 2005 - 3:10 AM

Exactly bbfc,

mm/dd/yy is like doing the time mm/hh/ss

Amercians, remember your roots :)

Score: 0

By bbfc

posted Dec 22, 2005 - 7:55 PM

dd/mm/yyyy makes more sense than mm/dd/yyyy.

Bloody Americans! :p

Score: 0

By Kramy

posted Dec 21, 2005 - 5:32 PM

And I must leap onto the MS bashing bandwagon!...

----- Link File Vulnerability -----
Found: Windows 95 (did 3.1 have links?)
Fixed(mostly): Windows XP Sp2

That's only around a decade. Speedy performance, by comparison.

Score: 0

By PC_Tool

posted Dec 22, 2005 - 10:43 AM

Internesting how that bandwagon didn't exist in this thread 'til you showed up.

How thoughtful of you.

Score: 0

By PC_Tool

posted Dec 21, 2005 - 5:19 PM

--[ Discovery Date: 15/11/2005
--[ Initial Vendor Response: 15/11/2005
--[ Issue solved: 01/12/2005

Note, this is using that back-asswards UK date format of dd/mm/yyyy.

Found Nov. 15th.

Solved Dec. 1st.

Not bad...not bad at all.