Google Plugs Account Hijack Holes

Had Google left the the cross-site scripting (XSS) vulnerability unpatched, hackers could have modified third-party Google documents and spreadsheets as well as had access to e-mail subjects and search history.

According to Philipp Lenssen, the author of Google Blogoscoped, the first Google Custom Domains vulnerability allowed Tony Ruscoe (another Google expert) to create a page that was hosted on a Google.com domain. Ruscoe proved that he could have used code to steal a user's Google cookie and access their Google services. The second vulnerability, reported by Lenssen, would also have enabled a hacker to use JavaScript code to pass cookie data to an external source.

Google hit two birds with one stone according to a representative: "Google was alerted to these issues, and we worked quickly to fix the problems, which have been resolved. We have not received any reports of user data being compromised."

News source: News.com

Report a problem with article
Previous Story

HP Announces Technology to Improve Chip Density

Next Story

Toshiba Announces First HD DVD-R Notebook

2 Comments

Commenting is disabled on this article.

I am glad that Google fixes its security holes quickly and does admit to the public that there was a security hole or what-so-ever.

Good baby, Google!

Being a Microsoft Certified software architect I am glad that it's proven now that whatever platform you use, it's the code that matters. And regardless of however many PhD's your team has, you're still susceptible, nothing is bulletproof in software and nothing ever will be.

However unlike some other companies, web sites, Google openly admits and patches the flaws quickly. I wish MS was as responsive at times.