Google and the phishing hole
Date: October 12, 2005Source: webpronews.com
By:
Cross-site scripting has plagued users of the Internet Explorer and Firefox browsers. Malicious web pages exploiting cross-site scripting vulnerabilities have driven Microsoft and Mozilla to patch their browsers several times. Finjan told Google in September that two of its subdomain sites that utilized forms containing similar vulnerabilities.
The forms in question did not do data validation or filtering, Finjan has stated in a press release, and could have allows for code injection that could steal another user's 'cookie' file. With that cookie, someone could access the victim's account, and even possibly alter the contents of the web page.
In the statement, Limor Elbaz, Vice President of Business Development and Strategy with Finjan explained, "The cross site scripting vulnerability could have allowed a remote attacker to take over victims' Google Accounts, or fake the website's content in order to deceive end users into downloading malicious content or providing personal and confidential information (known as 'phishing')."
Google has since addressed the problem and corrected the forms. Finjan noted that the sites in question no longer have the cross-site scripting vulnerability.
Original article
Add comment
Email to a Friend
