Google Plugs Account Hijack Holes

Had Google left the the cross-site scripting (XSS) vulnerability unpatched, hackers could have modified third-party Google documents and spreadsheets as well as had access to e-mail subjects and search history.

According to Philipp Lenssen, the author of Google Blogoscoped, the first Google Custom Domains vulnerability allowed Tony Ruscoe (another Google expert) to create a page that was hosted on a domain. Ruscoe proved that he could have used code to steal a user's Google cookie and access their Google services. The second vulnerability, reported by Lenssen, would also have enabled a hacker to use JavaScript code to pass cookie data to an external source.

Google hit two birds with one stone according to a representative: "Google was alerted to these issues, and we worked quickly to fix the problems, which have been resolved. We have not received any reports of user data being compromised."

News source:

Report a problem with article
Next Article

Toshiba Announces First HD DVD-R Notebook

Previous Article

HP Announces Technology to Improve Chip Density

2 Comments - Add comment