Google Plugs Cookie-Theft Data Leak

An Israeli researcher finds a bug in the Froogle comparison-shopping service that could have serious ramifications for Google's attempt at identity management.

Theres a big target on Google Inc.s back.

For the second time this week, security flaws in the companys Web-based products have been uncovered, and the latest—in the Froogle comparison-shopping service—could have serious ramifications for Googles attempt at identity management.

In a statement sent to, the search darling confirmed it was alerted to a "potential security vulnerability affecting Froogle," but no details were provided.

"We have since fixed this vulnerability, and all current and future Froogle users are protected," Google said.

According to Israeli security researcher Nir Goldshlager, a malicious hacker could exploit the hole by embedding a JavaScript in a URL pointing to Froogle. Once the link is clicked, the JavaScript triggers a browser redirect to a malicious Web site where the targets Google cookie is stolen.

Goldshlager, who was recently credited with finding a flaw in the Lycos e-mail service, said the cookie contains usernames and passwords for the "Google Accounts" centralized log-in service. He said the flaw also could be used to hijack Gmail accounts.

The Google Accounts identity management service is programmed to provide universal access to all Google services that require a login.

It powers logins for Google Groups, Google Alerts, Google Answers and Google Web APIs, and plans are in place to expand the service to include Google Adwords and the companys e-commerce store.

Goldshlager, who provided proof-of-concept exploits of the cross-site scripting scenarios to Google, told the vulnerability has since been fixed. But he warned that information from stolen cookies can be used even if the password is changed.

"The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he wants, and it still wont stop the hacker from using his box," Goldshlager said.

Earlier this week, Google was forced to address a separate bug in Gmail that allowed access to other users personal e-mails. By altering the "From" address field of an e-mail sent to the service, a malicious hacker could potentially find out a users personal information, including passwords.

A month ago, Google acknowledged—and patched—a security hole in its desktop search utility that opened the doors for man-in-the-middle data leak attacks.

Experts have warned that the desktop search tool is the ultimate security hole, and researchers at Gartner have cautioned businesses against supporting the use of Google Desktop Search because of security and privacy concerns.

In the past, security-related hiccups have ruined consumer trust in identity management tools. Microsoft Corp., for example, has been forced to scale back the .NET Passport service after a slew of big-name clients discontinued support.

In May 2003, a security hole in the MSN Passport service put millions of users at risk of password hijack attacks.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.