Google fixes several site security issues
Company blocks cross-site scripting hole at Grand Central site, fixes Google.com redirect issue, and works to fix redirect issue at Doubleclick.com.
Google has fixed security vulnerabilities related to its Grand Central telecom service and its Google.com Web site, the company said Monday.
Google fixed a cross-site scripting vulnerability on the log-in page for Grand Central, a service that allows people to have numerous phone numbers ring on one phone and have a unified voice mail.
A cross-site script is a vulnerability found increasingly in Web applications in which malicious code can be injected into Web pages that could be used to attack or compromise visitors to the site.
"This issue was reported to us (and everyone else) this morning, and we closed it shortly after being notified," a Google spokesman said.
The vulnerability was posted to a security e-mail list called Full Disclosure and was not reported to Google beforehand, meaning Google had to race to fix the issue before someone could write an exploit for it.
In a separate security issue, Google fixed a vulnerability that allowed people to create a spoof site that looks like it goes to the Google.com domain but actually redirects a Web surfer to a different site. Such redirect links are usually distributed via e-mail and often send people to a site with malicious code that can be used to attack or compromise the visitor's computer.
Google, meanwhile, was working to fix a redirect vulnerability related to the site of its DoubleClick online advertising unit.
"Open URL redirection is an issue we take very seriously. As we become aware of open URL redirectors on google.com, we actively work to close them. We are also aware of redirectors using doubleclick.com and are working to address this issue," the Google spokesman said.
The issue was reported on the Sunbelt Blog.