Google plugs 'obscure' phishing holes

Web site security flaws could have enabled phishing scams, account hijacks and other attacks.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
Google has fixed a security flaw that had opened the door to phishing scams, account hijacks and other attacks, security researchers said Wednesday.

The flaw, known as a cross-site scripting vulnerability, existed because Google did not properly secure its mechanism for two error pages, according to Web security company Watchfire, which discovered the problem. Watchfire posted to a security mailing list an advisory on the issue.

Attackers could exploit the flaw to launch phishing scams or steal a user's credentials, said Ory Segal, director of security research at Watchfire. Phishing scams are designed to trick people into giving up sensitive information such as usernames, passwords, credit card details and Social Security numbers.

"When we looked at the Google site, we saw that they are very good with their Web application security, but it looked like they forgot about this obscure variant of cross-site scripting," Segal said.

Google confirmed that it was alerted "a little while ago" and fixed the flaw. "No user data was compromised and we applaud Watchfire for following industry best practices for vulnerability disclosure," a Google representative said in an e-mailed statement.

The problem existed in the mechanism Google uses to generate error pages for forbidden redirects and pages that don't exist on the Google Web site, according to Watchfire. An attacker could use 7-bit Unicode Transformation Format (UTF-7) characters to exploit the flaw, Watchfire said.

In an attack, the target would click on a malicious link or visit a specially crafted Web page, Segal said. "You would then see the Google error page in your browser and with that message also receive malicious JavaScript code planted in the link," he said. Because the code is coming from Google, it can access data such as Google cookies, he said.

Google was alerted on Nov. 15 and fixed the problem on Dec. 1 by using character encoding enforcement, according to Watchfire. The security company in its advisory commends Google for its cooperation and communication regarding this vulnerability.

Cross-site scripting flaws are found regularly. Earlier this year, Finjan Software spotted a similar bug in Google's Web site as well as Microsoft's Xbox 360 Web site. Such flaws have also been identified in Yahoo's Web-based e-mail service.

Earlier this year, a security flaw in Google's e-mail service, Gmail, was identified and fixed. The flaw could have allowed attackers to hijack Gmail users' in-boxes.