Google XSS Vuln
It’s just been a week for Google issues, hasn’t it? Well today is no different, except instead of finding exploits in Google’s social networking product (Orkut) this one is in Google proper. I got an email from Hong, in China. He found a fairly obscure and difficult to exploit cross site scripting vulnerability in Google’s website. Here’s how it’s done.
First, click here to pre-load the XSS vulnerability onto Google’s page. Then click any of the links in the lower right hand corner, such as “Groups” or “Adwords”. You will see an XSS alert box if you have JavaScript turned on. While obscure and difficult to exploit, this points to how big companies don’t spend the proper time doing security auditing on their websites during development and QA.
Nice work, Hong! Btw, in case you weren’t following the boards, I’d highly encourage anyone interested in knowing more about Google’s ethics to visit this post by Jeremy Zawodny.
December 13th, 2006 at 11:01 am
lol, had to plug the google plagiarizing link..
hats off to Hong though, i tried quite hard to find one in google with no success :/ .. although i don’t normally look for the two part ones like that and orkuts recent holes. And i’m guessing neither do google’s sec people - tricky find.
December 13th, 2006 at 11:24 am
Of course I did. I can’t let them get away with that.
Everyone else lets them get away with murder. I like to bring them down a notch. They’re the new Microsoft.
December 13th, 2006 at 12:15 pm
Has it been fixed already? I’m not seeing it.
December 13th, 2006 at 12:31 pm
Indeed it has. Someone is listening.
December 13th, 2006 at 12:40 pm
Aww damn… you need to get a screenshot next time…
December 13th, 2006 at 12:42 pm
Here’s a hint. It had a popup that said “XSS”
Not exactly stunning reference material 
They’ve fixed the problem by stripping out the query string and leaving it empty. (The question mark remains but the data after it is missing). Obviously a quick hack job to shut down the hole, but the patch works.
December 13th, 2006 at 1:15 pm
hrn, well it worked at the time of this blog post atleast, as i tested it .. they do have a nice response time, i’ll give em that.You’re right that they seem to get a free ride on a lot of problems, and that are indeed evil - for the sake of shareholder profits (i’d do the same) :/
They’ve just got one hell of a PR team, and very loyal fanboys..
December 13th, 2006 at 2:21 pm
That’s why public companies can never “do no evil.” Evil is a requirement when you are out for maximizing shareholder profits. And amen on the fanboys. When intelligent security people can’t see that a company is stealing and selling/giving away their personal information you know that Google has got a hell of a brainwashing campaign going on. It’s my goal to get rid of the AdSense banners on this and sla.ckers.org by this time next month. No more Google.
December 13th, 2006 at 2:39 pm
ya, there comes a time when they need to drop that inaccurate motto, much like britney spears’s “i’m a pure virgin” claims, up till the point she got pregant -.-
That time was probably around their IPO.. circa August 2004.
December 13th, 2006 at 6:35 pm
RSnake, Google must have something like their internal Google Alerts system and one of the monitored sites is this one.
Actually, I did some playing around with Google Alerts and I am quite impressed. If you are very specific with the query you are interested in you can get tones of information in your mail box. Parsing it is a trivial exercise. I have my own Alerting system for special needs. Google’s infrastructure can come quite handy (for malicious purposes of course).
This find is very funky. It is sort of semi-persistent XSS. What I like most about it is the fact that you don’t get exploited right away. It is an obscure one.
December 13th, 2006 at 11:49 pm
I have a thinking. In other site, add an iframe which links to pre-loaded XSS url, then simulating clicking a link. is it possible?
document.links[index].click();
This works only on IE, but I think FF has alternative method.
December 14th, 2006 at 12:29 am
not possible because of the same origin policy, interesting idea though
December 14th, 2006 at 10:36 am
But what you can do is make the iframe move around with your mouse so no matter where they click the iframe will be under their mouse pointer.
December 14th, 2006 at 10:37 am
Oh yah, and pdp, that’s exactly right, they do. Maybe next time I won’t use the word Google once and I’ll release it at 10PM on a Friday night and time the difference.