Computer Crime Research Center


Google and the phishing hole

Date: October 12, 2005
By: David Utter

The Internet security firm Finjan and its Malicious Code Research Center provided Google with information leading to the correction of two vulnerabilities.

Cross-site scripting has plagued users of the Internet Explorer and Firefox browsers. Malicious web pages exploiting cross-site scripting vulnerabilities have driven Microsoft and Mozilla to patch their browsers several times. Finjan told Google in September that two of its subdomain sites that utilized forms containing similar vulnerabilities.

The forms in question did not do data validation or filtering, Finjan has stated in a press release, and could have allows for code injection that could steal another user's 'cookie' file. With that cookie, someone could access the victim's account, and even possibly alter the contents of the web page.

In the statement, Limor Elbaz, Vice President of Business Development and Strategy with Finjan explained, "The cross site scripting vulnerability could have allowed a remote attacker to take over victims' Google Accounts, or fake the website's content in order to deceive end users into downloading malicious content or providing personal and confidential information (known as 'phishing')."

Google has since addressed the problem and corrected the forms. Finjan noted that the sites in question no longer have the cross-site scripting vulnerability.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo