Archive for September 24th, 2007

Not a great month for Google security.
In the past 3 days, 34 interesting disclosures have been published:

  1. Google Search Appliance XSS discovered by MustLive, affecting almost 200,000 paying customers of the outsourced search engine and their users: this Google dork shown 196,000 results at the time of disclosure, now dropped to 188,000. Fear effect?
  2. Billy Rios and Nate McFeters revealed the gory details of their already announced Picasa exploit, leveraging a clever combo of XSS, Cross Application Request Forgery, Flash same domain policy elusion and URI handler weakness exploitation to steal your private pictures, straight from your local hard disk, just visiting a malicious web page.
  3. Finally, the most simple yet impressive, because of the huge number of users involved: beford decided to launch his new blog disclosing a Google Polls XSS which, thanks to the (too) smart "widget reuse" allowing Google services to integrate the same functionality across multiple services, can be used to attack Search, Blogspot, Groups and, the most dramatic exploitation scenario, GMail:

    For such an attack to be successful, the victim just needs to visit a malicious website while logged in Google, e.g. by following a link from an incoming message (unless she's got anti-XSS protection).

  4. update -- a few hours after I released the first version of article, I heard of another Google-outsourced vulnerability, an Urchin Login XSS disclosed by GNUCITIZEN's Adrian Pastor, which could compromise local Google Analytics installations. Its severity may vary depending on how Urchin is installed (e.g. on a domain different than your main site), but the provided proof of concept is quite interesting because it shows an actual credential theft in action, rather than the usual, boring

    . Not that a more spectacular example proves anything new about the dangers of XSS, but some people just don't believe until they can see with their own eyes.

These vulnerabilities are surely being fixed at top speed, since Google is one of the most reactive organizations in this fight, but they're nonetheless disturbing because they hit the very main player on the field, with the largest user base on the web: this make this kind of incidents unavoidable ipso facto.
How many vulnerabilities like those just go undisclosed and unpatched, but yet exploited by unethical hacrackers?
In Gareth Heyes' words,

This proves everything is insecure, there are just degrees of insecurity.

Talking about XSS, if you're an end user and you don't like to stay at the very bottom of the insecurity food chain, you'd better use Firefox with NoScript -- but that's your choice, of course. ;)

Bad Behavior has blocked 729 access attempts in the last 7 days.