Paid Advertising
web application security lab

Google Plagued By XSS - Again

Eric Farraro found another fairly complex XSS exploit in Google - again. I applaud his technique as it was fairly complex (not your standard variable tampering).

Google has since taken down the offending service with an error that says simply, “This service is currently unavailable. Please try again later.” Self induced DoS by XSS, huh? Removing services seems like a bit of an overreaction, but I guess it was too much of a black eye to have an exploitable service sitting out there until they could fix it properly. Additionally, there is another random error message created by Google when you go to this URL, saying,

We’re sorry…

… but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can’t process your request right now.

We’ll restore your access as quickly as possible, so try again soon. In the meantime, if you suspect that your computer or network has been infected, you might want to run a virus checker or spyware remover to make sure that your systems are free of viruses and other spurious software.

We apologize for the inconvenience, and hope we’ll see you again on Google.

The odd part is that this cross site scripting exploit was reported on the 14th (or before), and here it is the 16th and the service is still down. Why would it take more than a few hours to fix this - it took 24 hours or less each time before? I guess the best and the brightest are still stumped by HTML injection mitigation. Either that, or this time it’s different. Interesting. Either way, it should be a side note that this is a possible outcome of XSS - severe self induced outages.

3 Responses to “Google Plagued By XSS - Again”

  1. /pd Says:

    yes, I agree this was really a quality hack !

  2. id Says:


    HA HA


  3. Eric Says:


    I actually reported the exploit two weeks to a month ago — the service was taken down immediately, but my site was left up. Yeseterday due to TONS of traffic, I guess they took it down.

    Thanks for linking to my article :)