Print this article  |  E-mail this article  |  Comment on this article

Google Cross-Site Scripting Flaw Fixed

By BetaNews Staff, BetaNews

December 21, 2005, 5:00 PM

Google has fixed a cross-site scripting vulnerability on its Web site, according to security firm Watchfire. The flaw allowed an attacker to impersonate legitimate Google services in order to launch a phishing attack. The search engine applauded the firm for withholding disclosure until it could fix the problem.

The XSS flaw existed in how Google redirected users in its error pages. An attacker could use UTF-7 characters to take advantage of the vulnerability and insert malicious JavaScript into the URL, the firm said. According to Watchfire, Google fixed the problem on December 1, just two weeks after it had been alerted to the problem.

Add a Comment (7 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By daint

posted Dec 23, 2005 - 3:10 AM

Exactly bbfc,

mm/dd/yy is like doing the time mm/hh/ss

Amercians, remember your roots :)

Score: 0

By bbfc

posted Dec 22, 2005 - 7:55 PM

dd/mm/yyyy makes more sense than mm/dd/yyyy.

Bloody Americans! :p

Score: 0

By Kramy

posted Dec 21, 2005 - 5:32 PM

And I must leap onto the MS bashing bandwagon!...

----- Link File Vulnerability -----
Found: Windows 95 (did 3.1 have links?)
Fixed(mostly): Windows XP Sp2

That's only around a decade. Speedy performance, by comparison.

Score: 0

By PC_Tool

posted Dec 22, 2005 - 10:43 AM

Internesting how that bandwagon didn't exist in this thread 'til you showed up.

How thoughtful of you.

Score: 0

By PC_Tool

posted Dec 21, 2005 - 5:19 PM

--[ Discovery Date: 15/11/2005
--[ Initial Vendor Response: 15/11/2005
--[ Issue solved: 01/12/2005

Note, this is using that back-asswards UK date format of dd/mm/yyyy.

Found Nov. 15th.

Solved Dec. 1st.

Not bad...not bad at all.

Score: 0

By No Beer For You

edited Dec 21, 2005 - 5:54 PM

back-asswards???

It's you that is back-asswards Jeez... :)

Score: 0

By PC_Tool

posted Dec 22, 2005 - 9:07 AM

Sorry, I'll include the [humor] tag from now on for those of you a little slow to catch on.

Score: 0

Dec 4 - 4:40 PM ET Opera 10 alpha shows off new Presto rendering engine

Dec 4 - 2:29 PM ET Apple: Psystar clone-maker is working with unnamed collaborators

Dec 4 - 2:21 PM ET Windows Live rollout sketchy, team apologizes

Dec 4 - 2:20 PM ET Stinging from a revenue shortfall, Adobe to shed workers

Dec 4 - 11:47 AM ET The storm hits AT&T, with a five-digit headcount reduction

Dec 4 - 11:42 AM ET TV sports adopts Web coverage, plays with iPhones

Dec 4 - 11:24 AM ET Microsoft seeks 'community' help to make IE8 Standards Mode work out

Dec 4 - 10:43 AM ET Hitachi GST and Intel make a solid-state deal

Dec 3 - 11:36 PM ET Yahoo cedes Internet radio operations to CBS

Dec 3 - 5:54 PM ET Big BCS bowl game to land at CES 2009...in 3-D!