Home
Latest images
Search
Register
Log inGoogle Gmail, Other Apps, Vulnerable To Attack
Page 1 of 1
Google Gmail, Other Apps, Vulnerable To Attack
andry Wed Nov 24, 2010 3:27 am
Security researchers alert the company to a bug that could let hackers use Google Maps to infiltrate Google, Google Mail, or Google Apps accounts.
Google (NSDQ: GOOG)'s online applications are vulnerable to attack, two security researchers claimed Friday.
Google Gmail, for example, is vulnerable to a frame injection attack that could be used to phish login credentials from Google users.
Adrian 'pagvac' Pastor, a security researcher with GNUCitizen.org, on Friday posted proof-of-concept code that can inject a third-party page -- a fake login page in Pastor's example -- while the user's browser address bar still displays the Google domain. This could dupe the user into entering login details.
"The beauty of frame injection attacks is that the attacker is able to impersonate a trusted entity without needing to bypass XSS/HTML filters or even break into the target server," Pastor explained on the GNUCitizen site.
In a related blog post on Friday, security researcher Aviv Raff explained that Google is vulnerable to "a cross-domain Web-application sharing security design flaw."
The vulnerability reportedly affects other applications beyond Gmail. According to Raff, applications in Google's subdomains -- maps.google.com, images.google.com, news.google.com, mail.google.com, and google.com -- are affected. This means, for example, that Google Maps can be used to hijack Google, Google Mail, or Google Apps accounts.
Raff says he notified Google about the problem shortly after he identified it in April and that Google said the issue was being investigated.
"Today, after not getting any further response from the Google security team about this issue, and after Adrian published his proof-of-concept, I've decided to reveal this information in a hope that this security design flaw will be fixed by Google as soon as possible," said Raff.
In reference to the proof-of-concept, a Google spokesperson said, "We're aware of the potential for this kind of behavior when services are hosted across multiple domains, and we take steps to restrict it where we believe it may have security consequences."
http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=211100232
Google (NSDQ: GOOG)'s online applications are vulnerable to attack, two security researchers claimed Friday.
Google Gmail, for example, is vulnerable to a frame injection attack that could be used to phish login credentials from Google users.
Adrian 'pagvac' Pastor, a security researcher with GNUCitizen.org, on Friday posted proof-of-concept code that can inject a third-party page -- a fake login page in Pastor's example -- while the user's browser address bar still displays the Google domain. This could dupe the user into entering login details.
"The beauty of frame injection attacks is that the attacker is able to impersonate a trusted entity without needing to bypass XSS/HTML filters or even break into the target server," Pastor explained on the GNUCitizen site.
In a related blog post on Friday, security researcher Aviv Raff explained that Google is vulnerable to "a cross-domain Web-application sharing security design flaw."
The vulnerability reportedly affects other applications beyond Gmail. According to Raff, applications in Google's subdomains -- maps.google.com, images.google.com, news.google.com, mail.google.com, and google.com -- are affected. This means, for example, that Google Maps can be used to hijack Google, Google Mail, or Google Apps accounts.
Raff says he notified Google about the problem shortly after he identified it in April and that Google said the issue was being investigated.
"Today, after not getting any further response from the Google security team about this issue, and after Adrian published his proof-of-concept, I've decided to reveal this information in a hope that this security design flaw will be fixed by Google as soon as possible," said Raff.
In reference to the proof-of-concept, a Google spokesperson said, "We're aware of the potential for this kind of behavior when services are hosted across multiple domains, and we take steps to restrict it where we believe it may have security consequences."
http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=211100232
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics» Can I delete My Gmail Account?
» Symantec website still vulnerable to XSS
» Mashable vulnerable to XSS
» Paper.li vulnerable to XSS
» Get Any Body gmail password
» Symantec website still vulnerable to XSS
» Mashable vulnerable to XSS
» Paper.li vulnerable to XSS
» Get Any Body gmail password
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|