Google sites plagued by phishing opportunities

A young Italian computer scientist has discovered another phishing opportunity on one of Google's web sites. This bug affects the googlesyndication.com domain, which Google use to serve their text and image based adverts.

The discovery comes only days after a similar bug was found with the Google Desktop search tool. As Google spread their technology over a greater number of application areas, the possibility for error increases; which could explain the recent stream of discoveries as they fall victim to public scrutiny.

The latest cross site scripting opportunity exploits a flaw in the User Feedback section of Google's advertising system. This allows an attacker to inject their own content onto the page, which could lead to fraudulent activity or phishing. An attacker can exploit this vulnerability to affect any browser which has JavaScript enabled, including Microsoft Internet Explorer and Mozilla Firefox.

google5.gif

Salvatore Aranzulla's web site contains information about his discovery of the bug (Italian). He also demonstrates some URLs that can be used to exploit the bug.

Posted by Paul Mutton at 1 November 2004 in Security | Print this Page

Rackspace Managed Hosting - Web Hosting - Hosting Swishmail.com Business Email Hosting Dedicated Servers - Apollo Hosting
INetU Managed Hosting - Dedicated Servers DataPipe - Personal Touch, Global Reach Website Hosting - Website Source - Ecommerce, VPS
Reseller hosting Managed dedicated server Ahosting Web Hosting and Reseller Hosting By HostDepartment Web Hosting UK - VPS Hosting Dedicated Server
Web Site Hosting - Network Solutions Simplicato Email Hosting Windows Dedicated Servers from Server Intellect

Advertising on Netcraft