Cenzic 232 Patent
Paid Advertising
web application security lab

Google XSS Vuln

It’s just been a week for Google issues, hasn’t it? Well today is no different, except instead of finding exploits in Google’s social networking product (Orkut) this one is in Google proper. I got an email from Hong, in China. He found a fairly obscure and difficult to exploit cross site scripting vulnerability in Google’s website. Here’s how it’s done.

First, click here to pre-load the XSS vulnerability onto Google’s page. Then click any of the links in the lower right hand corner, such as “Groups” or “Adwords”. You will see an XSS alert box if you have JavaScript turned on. While obscure and difficult to exploit, this points to how big companies don’t spend the proper time doing security auditing on their websites during development and QA.

Nice work, Hong! Btw, in case you weren’t following the boards, I’d highly encourage anyone interested in knowing more about Google’s ethics to visit this post by Jeremy Zawodny.

14 Responses to “Google XSS Vuln”

  1. maluc Says:

    lol, had to plug the google plagiarizing link..

    hats off to Hong though, i tried quite hard to find one in google with no success :/ .. although i don’t normally look for the two part ones like that and orkuts recent holes. And i’m guessing neither do google’s sec people - tricky find.

  2. RSnake Says:

    Of course I did. I can’t let them get away with that. :) Everyone else lets them get away with murder. I like to bring them down a notch. They’re the new Microsoft.

  3. dveditz Says:

    Has it been fixed already? I’m not seeing it.

  4. RSnake Says:

    Indeed it has. Someone is listening. ;)

  5. phaithful Says:

    Aww damn… you need to get a screenshot next time…

  6. RSnake Says:

    Here’s a hint. It had a popup that said “XSS” ;) Not exactly stunning reference material ;) They’ve fixed the problem by stripping out the query string and leaving it empty. (The question mark remains but the data after it is missing). Obviously a quick hack job to shut down the hole, but the patch works.

  7. maluc Says:

    hrn, well it worked at the time of this blog post atleast, as i tested it .. they do have a nice response time, i’ll give em that.You’re right that they seem to get a free ride on a lot of problems, and that are indeed evil - for the sake of shareholder profits (i’d do the same) :/

    They’ve just got one hell of a PR team, and very loyal fanboys..

  8. RSnake Says:

    That’s why public companies can never “do no evil.” Evil is a requirement when you are out for maximizing shareholder profits. And amen on the fanboys. When intelligent security people can’t see that a company is stealing and selling/giving away their personal information you know that Google has got a hell of a brainwashing campaign going on. It’s my goal to get rid of the AdSense banners on this and sla.ckers.org by this time next month. No more Google.

  9. maluc Says:

    ya, there comes a time when they need to drop that inaccurate motto, much like britney spears’s “i’m a pure virgin” claims, up till the point she got pregant -.-

    That time was probably around their IPO.. circa August 2004.

  10. pdp Says:

    RSnake, Google must have something like their internal Google Alerts system and one of the monitored sites is this one.

    Actually, I did some playing around with Google Alerts and I am quite impressed. If you are very specific with the query you are interested in you can get tones of information in your mail box. Parsing it is a trivial exercise. I have my own Alerting system for special needs. Google’s infrastructure can come quite handy (for malicious purposes of course).

    This find is very funky. It is sort of semi-persistent XSS. What I like most about it is the fact that you don’t get exploited right away. It is an obscure one.

  11. Hong Says:

    I have a thinking. In other site, add an iframe which links to pre-loaded XSS url, then simulating clicking a link. is it possible?
    document.links[index].click();
    This works only on IE, but I think FF has alternative method.

  12. pdp Says:

    not possible because of the same origin policy, interesting idea though

  13. RSnake Says:

    But what you can do is make the iframe move around with your mouse so no matter where they click the iframe will be under their mouse pointer. ;)

  14. RSnake Says:

    Oh yah, and pdp, that’s exactly right, they do. Maybe next time I won’t use the word Google once and I’ll release it at 10PM on a Friday night and time the difference. ;)