Google said it fixed a security flaw in Google Reader on Wednesday that could have allowed a hacker to steal sensitive information from Web surfers.
A Google RSS feed addition tool was vulnerable to a cross-site scripting attack, a poster to the Ha.ckers.org blog wrote on Tuesday. Such attacks involve an attacker embedding HTML scripts in Web postings or input fields on a Web site.
"What are the implications of this attack for Google?" the blog posting asked. "Well, for starters, I can put a phishing site on Google. "Sign up for Google World Beta." I can steal cookies to log in as the user in question...I can steal your phone number from the /sendtophone application...get your address because maps.google.com is mirrored....The list of potential vulnerabilities goes on and on. The vulnerabilities only grow as Google builds out their portal experience."