|
|
|
Google Downplays Talk of Security Vulnerabilities
By: Brian Prince
2008-10-13
Article Rating: / 2
There are 0 user comments on this Network Security & Hardware story.
Google is downplaying talk of security vulnerabilities linked to cross-domain Web application sharing. Two security researchers have posted details about security issues they say leave Google users vulnerable. Google, however, says it has taken steps to protect users from malicious behavior when services are hosted across multiple domains.Google is downplaying concerns about security issues tied to cross-domain
Web application sharing that could leave Google users open to attack.
Security researcher Aviv Raff posted
general details of a cross-domain Web application sharing flaw to his blog Oct.
10. According to Raff, the vulnerability affects several Google applications
available across Google subdomains, including those used by Gmail, Google Maps,
Google Images, Google News and Google search. When used in conjunction with
other vulnerabilities, the issue could pose problems, he wrote.
Click here to read about how some hackers are using Google Trends to determine what to put on malicious sites.
"For instance, one small XSS issue in Google Maps can now be exploited
to hijack Google, Gmail or Google Apps accounts by bypassing the browser's Same
Origin Policy," Raff wrote. "There were several XSS issues reported
in the past, on some of the google.com subdomains, which are now fixed."
A second researcher, Adrian Pastor, posted
proof-of-concept code on GNUCitizen.org showing that attackers can inject
their own pages while the browser still shows the Google domain in the address
bar. In Pastor's example, he created a fake log-in
page an attacker could use to trick someone into entering log-in
information. Pastor wrote on GNUCitizen:
I thought that showing a live
example would help our readers get an idea of what frame injection looks in
action. For that purpose, I prepared a rather not elegant proof of concept
which takes advantage of the Google Images service. What's neat is that
although the legitimate URL would normally use the images.google.com domain,
Google also allow us to use other google.com subdomains such as mail.google.com
which is used by Gmail. This is ideal, as we're trying to accomplish a frame
injection attack which can be used to perform phishing attacks against Gmail
users.
Raff claimed he notified Google of the problem in April and company
officials said they were looking into it. As of Oct. 10, he hadn't received any
word of a fix, hence his post. When contacted the same day, a Google spokesperson
said the company is aware of the issue and has taken steps to prevent it in
cases where there are security consequences.
While Pastor's example page may seem legitimate at
first glance, there are ways for users to determine its authenticity. For one
thing, the page's address bar clearly marks it as an HTTP page, whereas all
Google's log-in pages are HTTPS. In addition, Google's Safe Browsing API
also works to protect users from phishing pages.
|
|
�������x}kW㸲a�C>8~ t+@�&f]+˱ăcg�r�7*I~$@063
%TRT*@ggOD.\ݴ!tͩM5{>5J�`OS;Su��Y!=+[c}H}�F��\�3�Ѣ�db�پ�VI�=Mk9�J��D<�֥��E!m$oAX}:[S=w�c�Z�BT!|@J%h�!��Qus_?9|'�f�w^��B(ƻ�F {iZg�o�vu=yͰ
�� /�\1r.b,{{w4�ɿTݡm2���{R'�͑�w2M*-f�iߵ�:�9�z�u
v=�r5M0\Ա:֪V�1?�!ql{ d�Pp9Lwj/�?d�[�.Z$'mXO'��0omYn^H.)
T|Y|ěy30si���2)߆IƜ@w[��@kKUykA
4�+@_x0N�D5kcf�M�r,e��g{0@�M)��6w�k
�3!RBʼa�ĿI�K
_VPJB�-)\D7h+�ԌTwIQ��Q#�=^f/\��RRG��0�Al8{ØWҽTWws^�iغ�\08.כEsL�V�t];7yя0-*�<�OǛ \:mtt�gMxX18�,0]ev|`\\�77�Jy?6�k_)Ab�/*r[�h#�2ud8��:AGA�ticš�hϭ@7F��h`CZ]Ҏ:L��g
w�|h.��x:$,Ab�&a`?}0C5m�| &>t\�l�8d�$)s�yp;L-1σ�5Yҽ[ڗ��?�`#0.Zm{��$8ʼ��E�]u�bSB�ݷ|�{���떭-�L<�ģԠ>N�(~9-R��;C1��x"�"D%� T
h��4�AG�E�ENfAww$]I+TbD8�JnO�u$]CJ"ڹLX*QY,p[/ �͙JRd0e Q="`&�Qea*0pRx5Rn.Zb٦By^�q$s.�]Y�U!=j�ʋ3K6�M}ˁ)�S#O�L�Gx�}lj;Ä��{87��˰`�x�h�yAu!#�@3~�~6ˇ�-M}��5g>�BB12
�=w̠:�'��_
�.'[N/=g.јSQr�Vҋsכ��d5�0�K%gYA�3�'|(@]4>+WePÃ"`"+42[��̞�v(f;,NrByOS*,, H@,gmd{�Oq)�cf�$�1,4�tO�ݡ~�u_�24-%ւfk{ց$l�J=°ε�Z*��![p5|a2�F]��RZBKHDl�Pc/X�Ke�zdY�M"�&Io4Az=챧mH
jrAn##S�OodV-iV9ԴrX,y|�lD0(2n( 鿛R&a+\ڨOaOcw�Asm0Hg����O\����O=<�f�\?& GV
sXO
Mڒ(1@�/��ŵa�a�{�670rt\Xl{�V�N0bF�>yL��{H�[�eXY}}`/�cҧ8h_�zU0�UESUG�+;+^>�F����]h��!.h��~��X@�P A6+8SӞ-jXX�RO�-x�zVGc�'ԿC���X}E-~ʮO1"Q�e�ڟq;h跸&�@^5xo8`�)ب�5UW�*~mO['5^�ߜmhDA��`�>
Н;#ؐCKA;aVS$�'o�|렀6RaExޔ�9"yea@WIl��J�hL?o�_�/Qm(}�<4y�nU
֕G321wY|
RD���ͳi�4=_@HpjGi�
g>gScM8W�^&�&оȣ�*騫VJe2&0�ڃF5c�;�[�LY�6R�L�sݿx�j�=z{Gq7'Z rLW!SB�9�^% ��sK��\7�a Z��2Q&OB�8JYk-[r_�A~�V0u^AC#ȫͦ'0�(j'�'CO7)~�}$DC9�m�4;n�RTP�]\\K�#UX)TԒP/YTAtUvdi&x9L���Ll�'P`�Q(S&�L]8�TV<^��nۋ=953ץ~@Lf@�=�P3 &t]4V��!Tcj`2L8[G
knQ�:��a�GF*ݔ;Y`'\U%P-HjYt�>80xP N��:W�8pL\'e�M=J2z7���&=~�?<�a�a=$y7J�ЋWKǝ/4.i��_I�R:$*pvxu".�gM~l1�9z˾WM�$(��X�q�4q>'^y�{{89i]I7�my
#4�-o�d�hD4|/�YJ|I}Ѿ�E)%{�붯[�r��d���,�O!y/FS�L�o2�X�G|��0&K#f�!B".훓
g��|%�V}Xhr!slP6Õh4�FlCꏝ%/�a�֭
Bf�3�bB!|JLJCT䵤�
g[YUHN~�'%gqb��Ly�x*= $Lr@~A=?W$=�;�F`푖cɥ��`�`'#�9ʼS�3LaZ��G�W�./=v{�}`Nȣ&k{��?gdqF[��ٽ촚o5e'S�
C7+�t9ninmǡ8�-�0Nx(4P$yUZ/VU�$]ud%�
>�Yx�2�&i^�%3�=�4/�Zt`
Q)k�$ɻb��]�Q0���0လ',�v�N��;%
��.aGmv/
QD>B�ߟ`�=Z&'Q8�27YfM-h/�NZ_����AB5i#X��M-Z��ȁ�A�C<:no�pѥ�PjjX1C8/Lu֯|s�(j8N)rr'C�"z�0���V�KdySP|[�0HNzWN~/�-LKik+U�]6@; ��j��ӸLxXLCyȜ'��pO�`yʀ(W�9`��9n�e�J�s�32�� ?L���YUY֕~�s$u�[M&5M\b\�*nFg3i4k:&�ų�(*aV�j>vZ����oz�ܸI*q�KMlJ�+neij&'%KR${]q"qc�/.+q�=XnN%N}`zs
��]Hڥ���<Ë|U�d!3�x9i'hKehJo@Ѐlwk00x|gA@~}��E}Y�,`�Ɖ��I
2hE^+%�W+GE�hYmޤx
�?��ڌ,��JHlB
"-;5PJݚ�N��A/�۪i
ԥ�aJ4գs�
�G�_4a��)%H�xc*]SdS0
VSWUE�"+F��`$D
�j��PD�
@h5�*p=QJ4%S^�BJ=:BXJawY�n
M`W�hR'p=T/A{'�>:4𥏓�h)f=.�Op.P%�'�jfk� t1m`�> ��{�
,ԟL7eT̬&5!2�omL_Y{JJAQ�nd@���
��9�@^|2!ڛZߠҖ%)�_W>[�L w633Yk�T%��k�:w n{�[+�Igc$�MgRR*8HP%�脃%�,a`y���WS/N_�d�T��^ϧX�\YW2O3Dq5jE��ck-�ґ܁e�j>w.p;w��ԣ:NRP.V-��#��`�"�}gS)qy2aO~u[_~wL~wL~wL~wLr~\%�G��|g/=
ؼU;`Q �-���~M!�! 8gS?�z#7B}S֞VWJ_-("iuA�cv�/.[��BA쑫q~/y٫aP"y
n;T-ɅuHҡTBi9��lOvu5kҾ&A08^.5�儁aw�x�)"
Vտo �n�n[?qCb$Z]{0\NX��3,M?C"�&1K9#M᭜).b�Gy��uM|y�#oͫ?'.(&#u,,�@�Nt
�O\/НǝfST}䉯[Ho��;L���M�st��x��w�w%Qē�C.SqG8�bݵ���k"Z�,3s䏹Ib+_]3#)5|5X�����XR�w2
�(/g�*'q'F"j\�hۧ�jsl�+A#샒�=�%h�MO? ,qz)Ds��ā,�?:.ċ֖��AXx-wD�9��D�NE0�H�^XBk*p�D]�bɤ=���^Pl&qn/�&N�ۜ95�͂E /
tE��c%5T(r~zzɟZbiE�.c
2�Y��!1c�TA9-� �j"+���jD���x'�kp�)Xۜ>5-yM13bmC��y�m�+=umm;�btk�+mLxX8Ow|
v{ʂ"B(ͪD�\o2y
1u��n�r':r��Jͬ."A�dӃώͰl�g|[2@�
`C_a̷Uqhi\ԊK�k)qOc|�x,Ɨ�I�*N�.JE��E�t�03�w�j�9C�(�NbJ ͍$�u�~kv�K1
F.X`���Y�ej��xp�Ƨ�x�}<9�j�#ܕeR>5d<0
0g�Y:ovN���*'��D_=:ς價)s!aZ;+AguU�q VH:+�^@0��3�:%�{$͈ɵ;ҝ�s/4/>
iӛft>�uoZV�5/ڷxx Zҷptԭs>|ܾ|ںj^ߴL�ƿf�&�R4�e�jӫe)SC9�m�6�W#\]drx�ixɎ(ah,Ώ6��tg$w[5�U6r�Uo&LlW?f_z
�''7NG˦V\k!hu??Չt|]&53;��m:F���[�+�!XU8i:67a\nq���4ħEKW\=4[E�EF�(Q�ʿd@�pj#
r�I3�ʏW�}N3s�?G(VNrIF9?ϴ2ʡ�:�埡���o}�K2�K��{AKe�}.��/?/3�2?QF2�2ϡ<�PK((�+��66vi~igk�3���w2�u3+#��埲�O�}�}ʠ-f�f--m�%:Iʘ!gk\8=R��er�~)A_d_�y*%iF>g賲���+z;_˰Πs3�2Я!ednld~i]�O
aq�ʍz�^S_x�s+
ǸJuv�z^_@�%KH0e^ڛT��GPIpKxEó#�#�h��toĶ.�p�&}:=Wvl+Jy._[nNJ>x.~QJxd\$h{U2�6#�{"xbcN7#%Y!/ܻ�GznQ'��oL2~�v=y_�{�^�y�P�[4יqeGޢD�)�F�yk@�Y-g,`�|kԥ�z��p��1�Q�6`�3x�,�4F=w�0z�3WǴkHƫ�H=`GОf@L��V��v^`cоxA�Q4�[Hl7c@诿L`Xk'J7�It#bÝPnl@Pv
�
]7�P3xØ;
7t�gG=�/�P�˺�who=��O^�!��N��E:�7X1L_%$2ǃBL�r�$Ҵ�z�`^f��^$ul70H-��;>c/,grj'@�;o�sҙ`&<�aOxw3 ^{l�x$Qh/I'�;��>#�0@uﰟ��cO�ql@�O� X1Wdg��Ag|bOhMx%�7�M&$rq�;}��2걄0�n�H[a��>$_NA5c.d:h}r[xj
-K?�>V@3.2�f�Kǃ�,h�ڗBQfwfk
kn �\зkdQk��WU�M˚�μP؝dznJ%L9(ن�W�0U7�VA}>�D,D*�9"[�o�%�P1@EikN?nI3ۉz�N$%�}YQ ��v.y�hFʪv\|9I��T~7)V��\w|7(6؋JO���0wG�{s�HjuO)t��I`S�F11��|0�j;;�1�Te]ZQYɶ��z
S�O~jO(Co݂�k\�+<>a�iЄΧ^p멎T��U|��J��A1^<$nܛw�M+nvG�D
g7>��6'كl2=~:
�>(Fْ[0��?{Fukϳ�A�slk
6-����`⎈Me�6e\�DR�*El'f
,��� ~sf_N�(@P��9���BuY^|:ym.�E;�Ofu�ݎ&Ӿmy�i;< ׁ]"�b��CΰҶ\)V�xj\�n2?>Ş�i#|��@ �(ۊnfTt���`GY�e`�kr
k5-E6��:ˇt�g)C2^#s!�Y����,�^^kta�(
aa��vX��ev:U9wm�jWW6x�ozc|>[z0�XjPgN0�y,X�+0_�k��A#�LeU��|t}GYEL`&;]+�N%t&vж?8�هl*ƾ��&/��l{k+�ЃTnxFK-^P?Q�>�χ"@�DNENE<<�Sf}')VSL_Xџ�_P>a*g\%ƕyĺ@Xqө8Yot?_4�.[��ByھJ��RI>Q�}��v<<~v�i}i a�%
ѨT\��6[g݃%M��nңǫ�)h,(Z�N椙� $RzY"^ֳo�
6A|>Őy6�#x�L�
2kV*w�V㛼VtƦ�I:1qz�.yaD셳QbmئdUi2�9?R{) qU4>�!an)nǝl| �n%96L]_�[�
P��@*��
|
Network Security & Hardware 
