Google Downplays Talk of Security Vulnerabilities

Google is downplaying talk of security vulnerabilities linked to cross-domain Web application sharing. Two security researchers have posted details about security issues they say leave Google users vulnerable. Google, however, says it has taken steps to protect users from malicious behavior when services are hosted across multiple domains.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Google is downplaying concerns about security issues tied to cross-domain Web application sharing that could leave Google users open to attack.

Security researcher Aviv Raff posted general details of a cross-domain Web application sharing flaw to his blog Oct. 10. According to Raff, the vulnerability affects several Google applications available across Google subdomains, including those used by Gmail, Google Maps, Google Images, Google News and Google search. When used in conjunction with other vulnerabilities, the issue could pose problems, he wrote.

Click here to read about how some hackers are using Google Trends to determine what to put on malicious sites.

"For instance, one small XSS issue in Google Maps can now be exploited to hijack Google, Gmail or Google Apps accounts by bypassing the browser's Same Origin Policy," Raff wrote. "There were several XSS issues reported in the past, on some of the subdomains, which are now fixed."

A second researcher, Adrian Pastor, posted proof-of-concept code on showing that attackers can inject their own pages while the browser still shows the Google domain in the address bar. In Pastor's example, he created a fake log-in page an attacker could use to trick someone into entering log-in information. Pastor wrote on GNUCitizen:

"I thought that showing a live example would help our readers get an idea of what frame injection looks in action. For that purpose, I prepared a rather not elegant proof of concept which takes advantage of the Google Images service. What's neat is that although the legitimate URL would normally use the domain, Google also allow us to use other subdomains such as which is used by Gmail. This is ideal, as we're trying to accomplish a frame injection attack which can be used to perform phishing attacks against Gmail users."

Raff claimed he notified Google of the problem in April and company officials said they were looking into it. As of Oct. 10, he hadn't received any word of a fix, hence his post. When contacted the same day, a Google spokesperson said the company is aware of the issue and has taken steps to prevent it in cases where there are security consequences.

While Pastor's example page may seem legitimate at first glance, there are ways for users to determine its authenticity. For one thing, the page's address bar clearly marks it as an HTTP page, whereas all Google's log-in pages are HTTPS. In addition, Google's Safe Browsing API also works to protect users from phishing pages.