Paid Advertising
web application security lab

More Cross Site Scripting in Google

Well Russ Jones over at TheGoogleCache just disclosed another cross site scripting vulnerability in Google that I previously verified prior to his disclosure. Russ Jones is more interested in the page rank aspects of XSS as he is interesting in search engine optimization, but he also correctly acknowledged the issues around password and identity theft in Google’s application.

I know I said I wouldn’t discuss Google’s XSS woes for a while, but honestly, this one isn’t my fault! Russ let me know about it a few days back but he found it and disclosed it on his own. Now, I shouldn’t have to say it, but proper sanity checking of input seems like a pretty trivial thing to do. However, as we see, when you have thousands of programmers who are thin on security expertise, it can be very difficult to secure your application. That’s why I don’t trust entering personal information into Google, unless I typed the URL by hand. Call me crazy, but things like this freak me out.

Now, Google’s infosec guys emailed me (I emailed them back but I haven’t heard back from them - not quite sure why, actually). I would love to talk to them about their issues, but haven’t heard back. But this is far from the only vulnerability in Google. In fact, in a few seconds of checking today I found another cross site scripting hole in Google. But disclosure is such an ugly beast. While talking to one web app security expert today who shall remain unnamed, he said that he rarely discloses vulnerabilities anymore, because it’s just not worth his time. He’s not getting paid for it, and it’s not helpful to him to disclose it.

Think about it, I mean, I could easily be treading on some poor security consultant’s toes by finding vulnerabilities that he would be finding for the company in question. Interesting problem we face as a security community.

As a big enterprise I’d love to know ahead of time that I have vulnerabilities in my application. In fact, I’d expect it off the bat. But as I grew my application and expertise, I’d also expect that not many people are nice enough to give me a second chance - especially when there is no remuneration for their efforts. It’s not like Google’s going to give me $1000 every time I find a hole - if they did, there would be a much safer Google out there, believe you me. So in liue of that, Google gets bad press, and I get nothing but the brief sense of self satisfaction in a job well done - and maybe the warm fuzzy feeling that I am giving other security researchers a job in the future by waking these companies up (I might be a nice guy, but I’m not that charitable).

The auction market is an interesting possibility for these types of issues. It’s been tried before but certainly never formalized and certainly never legitimately. If I have an exploit in some major software manufacturer, it is worth next to nothing to me unless I intend to start hacking companies that use it and try to get information from them that I could then resell - ultra blackhat. The second option is to give it to the companies in question - whitehat. The best I can hope for there is to get a job or a free book or something. The last option as an independant security researcher is I can sell it at market - blackhat with plausible deniability. The highest bidder wins.

Think about an auction format that allowed for software exploits to be sold in the same way that any one of a kind, limited format item could be sold. Would the company who’s asset was in peril fork out a few hundred or a few thousand for the trouble? Seems like a small price to pay for avoiding full disclosure, or worse yet, having the vulnerability in question fall into the “wrong” hands to be used against the company in question. Of course, something like this could easily be created, but there’s no way to verify that the exploits work as advertized, so this whole idea is probably barely worth the ones and zeros it’s written on, but it’s an interesting concept that the security industry has not yet figured out.

There is one other option, which is where I give it to consultants who are working for the companies in question. They get to be the bread winner for the company in question, and either pay me out the backend, or throw work or favors my way. That too is blackhat, but at least it gets the vulnerability fixed, and the company gets what it wants from the consultant one way or another - even if the hole was not found by then. For now, I don’t know which camp I’m in, but I do know that these companies aren’t getting their problems fixed like they could be, if we were able to figure out these issues. - And before I forget to mention, no, I’m not looking for a job.

5 Responses to “More Cross Site Scripting in Google”

  1. Sh4nk Says:

    The proof of Concept of the link

    it does not work, I think that already it was patched for google…

  2. RSnake Says:

    Looks like it, yah… I’m not sure if he posted it before or after it was disclosed to Google, but I verified it before he posted it and it worked at that time. Trust me, there are more vulnerabilities in Google though.

  3. webwormx Says:

    You make a good point about disclosure being a hassle these days. But worse, it seems that the drawbacks to disclosure these days go far beyond lost time and treading on someone else’s turf. While I’m sure google would avoid such action, it seems that many organizations are turning towards immediate legal action rather than immediate improvement of coding practices, and sometimes that legal action is against the very people trying to help.

    I’m sure you’ve heard of incidents like the one with University of Ohio.

    It’s things like these that both me so much about disclosure. I run across terrible security vulnerabilities in sites I visit almost daily — Security vulnerabilities that put thousands of people, including me and my friends, at risk for identity theft. Yet by disclosing them (even privately) I could put myself at risk for serious legal action that would put a quick stop to my immediate education and career plans.

  4. webwormx Says:

    both -> bother (in the last paragraph)

  5. Luny Says:

    Heres a google story for you that I never got a reply back on. I emailed google about a company who was selling page translation software for like 10-20$. No big deal right? Well the software was using googles page translation service to translate the pages!

    You simply typed a url into this software and it would input the url into google and translate it. Dissasembly of the program provided this to be correct.

    I never did find out if the company got shut down or not and google never emailed me back when I left them this heads up. This happened a few months back