Google Plugs Cookie-Theft Data Leak | eWeek

Google Plugs Cookie-Theft Data Leak

Écrit par
Ryan Naraine
Ryan Naraine
Jan 14, 2005
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Theres a big target on Google Inc.s back.

For the second time this week, security flaws in the companys Web-based products have been uncovered, and the latest—in the Froogle comparison-shopping service—could have serious ramifications for Googles attempt at identity management.

In a statement sent to eWEEK.com, the search darling confirmed it was alerted to a “potential security vulnerability affecting Froogle,” but no details were provided.

“We have since fixed this vulnerability, and all current and future Froogle users are protected,” Google said.

According to Israeli security researcher Nir Goldshlager, a malicious hacker could exploit the hole by embedding a JavaScript in a URL pointing to Froogle. Once the link is clicked, the JavaScript triggers a browser redirect to a malicious Web site where the targets Google cookie is stolen.

Goldshlager, who was recently credited with finding a flaw in the Lycos e-mail service, said the cookie contains usernames and passwords for the “Google Accounts” centralized log-in service. He said the flaw also could be used to hijack Gmail accounts.

The Google Accounts identity management service is programmed to provide universal access to all Google services that require a login.

It powers logins for Google Groups, Google Alerts, Google Answers and Google Web APIs, and plans are in place to expand the service to include Google Adwords and the companys e-commerce store.

Goldshlager, who provided proof-of-concept exploits of the cross-site scripting scenarios to Google, told eWEEK.com the vulnerability has since been fixed. But he warned that information from stolen cookies can be used even if the password is changed.

“The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he wants, and it still wont stop the hacker from using his box,” Goldshlager said.

Earlier this week, Google was forced to address a separate bug in Gmail that allowed access to other users personal e-mails. By altering the “From” address field of an e-mail sent to the service, a malicious hacker could potentially find out a users personal information, including passwords.

A month ago, Google acknowledged—and patched—a security hole in its desktop search utility that opened the doors for man-in-the-middle data leak attacks.

Experts have warned that the desktop search tool is the ultimate security hole, and researchers at Gartner have cautioned businesses against supporting the use of Google Desktop Search because of security and privacy concerns.

In the past, security-related hiccups have ruined consumer trust in identity management tools. Microsoft Corp., for example, has been forced to scale back the .NET Passport service after a slew of big-name clients discontinued support.

In May 2003, a security hole in the MSN Passport service put millions of users at risk of password hijack attacks.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.