Google Expert Draws Similarity Between Two ExploitsThere is a cross-site scripting (XSS) vulnerability in one of Google's Web hosting services. The vulnerability is capable of altering third-party Google documents and Excel files as well as viewing e-mail subjects and search past data, said the Google Blogoscoped blog. Google Blogoscoped is a third-party site that gives opinion on Google developments. The company has, however, patched the vulnerability early. A Google expert, Tony Ruscoe discovered the Google flaw when he was able to steal an individual's cookie and make command on a variety of services on that person's account such as Google Docs and Google Analytics. Ruscoe posted all the details of the exploit on the blog. The security flaw was connected to a Google feature just released on the blog. In the second week of January 2007, Google was hosting custom domains. Ruscoe noticed that a user had entered "ghs.google.com" as the domain name of his blog. The writer of Google Blogoscoped, Phillip Lenssen said on January 14, 2007 the vulnerability resembled another flaw in Blogger Custom Domains. According to Lenssen the Custom Domains flaw enabled Ruscoe to construct a page and host it on a Google.com domain. Ruscoe's actions demonstrated how to use a code to steal Google cookie and intercept Google services of the users. The second vulnerability that Lenssen reported worked similarly by allowing the use of JavaScript code to transmit cookie data to a different party. A representative of Google said that the company attended to both vulnerabilities adequately. ZDNet published this statement on January 16, 2007. Google was fast in fixing the problems. Within three hours its specialists eliminated the page posted on the Google's servers. That night they circulated a message thanking for reporting the issue. The company assured that it's serious about the security of their users and pays adequate attention to their complaints or suggestions. The message was to inform that Google addressed the problem immediately and that it took steps to prevent its repetition. In addition Google invited bug searchers to inform about security issues relating to Google directly to the company, so that they can develop the patches before the general public becomes aware of the flaws. Related article: Google Rectifies Gmail flaw in Three Days ยป SPAMfighter News - 1/22/2007 |
Dear Reader
We are happy to see you are reading our IT Security News.
We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!