Google sites plagued by phishing opportunities

A young Italian computer scientist has discovered another phishing opportunity on one of Google's web sites. This bug affects the googlesyndication.com domain, which Google use to serve their text and image based adverts.

The discovery comes only days after a similar bug was found with the Google Desktop search tool. As Google spread their technology over a greater number of application areas, the possibility for error increases; which could explain the recent stream of discoveries as they fall victim to public scrutiny.

The latest cross site scripting opportunity exploits a flaw in the User Feedback section of Google's advertising system. This allows an attacker to inject their own content onto the page, which could lead to fraudulent activity or phishing. An attacker can exploit this vulnerability to affect any browser which has JavaScript enabled, including Microsoft Internet Explorer and Mozilla Firefox.

google5.gif

Salvatore Aranzulla's web site contains information about his discovery of the bug (Italian). He also demonstrates some URLs that can be used to exploit the bug.