Google fixes security flaw in Reader

Hole could have let attackers steal sensitive data from Web surfers, according to blog revealing the flaw.

Google said it fixed a security flaw in Google Reader on Wednesday that could have allowed a hacker to steal sensitive information from Web surfers.

A Google RSS feed addition tool was vulnerable to a cross-site scripting attack, a poster to the blog wrote on Tuesday. Such attacks involve an attacker embedding HTML scripts in Web postings or input fields on a Web site.

"What are the implications of this attack for Google?" the blog posting asked. "Well, for starters, I can put a phishing site on Google. 'Sign up for Google World Beta.' I can steal cookies to log in as the user in question...I can steal your phone number from the /sendtophone application...get your address because is mirrored....The list of potential vulnerabilities goes on and on. The vulnerabilities only grow as Google builds out their portal experience."

Late Wednesday, Google issued a statement that said: "We learned of a minor security flaw in Google Reader earlier today and worked quickly to fix the problem, which has now been resolved. We encourage all vulnerability reporters to follow responsible disclosure practices and notify vendors first before making the vulnerability public."

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Microsoft leaves Apple in the dust with tablet and laptop innovation in 2015

Will there be one Apple Ring to rule them all? That's what a patent application says. Plus, building the thinnest gadget isn't innovation anymore and Apple just got a reality check from Microsoft.

by Brian Tong