Google has fixed a cross-site scripting vulnerability in Google Orkut a security researcher said could be used to steal cookies and other information.
Nir Goldshlager, who also recently uncovered vulnerabilities affecting Google Calendar and Twitter, told eWEEK the problem was due to an input validation error.
“An attacker will exploit the vulnerability if a user clicks a malicious link,” he explained in an e-mail. “When the user clicks on the malicious link that has the same (true) Web address name the (cross-site scripting attack) will be run on his client (Internet Explorer, Mozilla Firefox) and will send his cookies (and) session ID to the attacker’s evil site.”
An attacker can even bypass cross-site request forgery protection with the vulnerability and do other attacks, he said.
Google Orkut is a social networking site operated by Google. Though not as popular in the United States as sites such as Facebook and MySpace, it reportedly has 100 million users worldwide.
When eWEEK showed Google a proof-of-concept video demonstrating the attack, the company responded Jan. 12 that it had discovered the flaw independently during its own code review. Google offered no timeline, however, as to when it found it or how long it had been working on a patch, which has been rolled out.
