The flaw, known as a cross-site scripting vulnerability, existed because Google did not properly secure its mechanism for two error pages, according to Web security company Watchfire, which discovered the problem. Watchfire posted to a security mailing list an advisory on the issue.
Attackers could exploit the flaw toor steal a user's credentials, said Ory Segal, director of security research at Watchfire. are designed to trick people into giving up sensitive information such as usernames, passwords, credit card details and Social Security numbers.
"When we looked at the Google site, we saw that they are very good with their Web application security, but it looked like they forgot about this obscure variant of cross-site scripting," Segal said.
Google confirmed that it was alerted "a little while ago" and fixed the flaw. "No user data was compromised and we applaud Watchfire for followingfor vulnerability disclosure," a Google representative said in an e-mailed statement.
The problem existed in the mechanism Google uses to generate error pages for forbidden redirects and pages that don't exist on the Google Web site, according to Watchfire. An attacker could use 7-bit Unicode Transformation Format (UTF-7) characters to exploit the flaw, Watchfire said.
Google was alerted on Nov. 15 and fixed the problem on Dec. 1 by using character encoding enforcement, according to Watchfire. The security company in its advisory commends Google for its cooperation and communication regarding this vulnerability.
Cross-site scripting flaws are found regularly. Earlier this year, Finjan Software spotted aas well as Microsoft's Xbox 360 Web site. Such flaws have .
Earlier this year, a security, Gmail, was identified and fixed. The flaw could have allowed attackers to hijack Gmail users' in-boxes.