Google Inc. has quietly patched a potentially dangerous security flaw in two of its business-facing services after a private security research outfit warned that malicious hackers could exploit the bug to hijack sensitive user information.
The vulnerability was flagged—and fixed—in the Google AdWords and Google Services subdomains.
Because both sites use data from the Google Accounts username/password system, security experts said the flaw presented a major identity theft risk.
The bug was reported to Google by Israeli IT security services firm Finjan Software Ltd. on Sept. 22. Two days later, Google corrected the flaw and made it clear that no user data was compromised.
“[We were] alerted to this issue a little while ago and we worked quickly to fix the problem, which has now been resolved. No user data was compromised and we applaud Finjan for following industry best practices for vulnerability disclosure,” a Google spokesperson said in a statement.
Limor Elbaz, vice president of business development and strategy at Finjan, said the Google AdWords and Google Services sites contained forms that did not validate and filter input.
“Due to the lack of data validation and filtering, this vulnerability could have allowed an attacker to inject content and scripts which could allow him to steal the victims cookie,” Elbaz said in an interview with Ziff Davis Internet News.
Finjan did not release details of the vulnerability beyond a carefully worded press release, but Elbaz said the companys researches provided proof-of-concept exploits to Google to show that the URLs could be manipulated to control a users Google cookie.
“Its a legitimate Google URL with specific parameters. When someone clicks on that link, the attacker can take over the users account,” Elbaz explained.
She described the issue as a “cross-site scripting vulnerability” that is caused by the lack of data validation and filtering. “[This] could have allowed an attacker to inject content and scripts which could allow him to steal the victims cookie.”
If the victim clicked on the malicious link while logged in to Google Accounts, the attacker could commandeer the victims cookie and gain access to some of the Google services tied to that account. These services include AdWords, personalized search results, Froogles wish list, Google Alerts or Google Groups.
Elbaz said the attacker might also have been able to change the content of the Google Web page to launch phishing attacks or even trick the user into downloading Trojans, spyware programs or other malicious files.
Security researchers have long warned that consolidated user accounts could present a major risk if a single breach occurs, and the latest Finjan findings have underscored the security implications.
“In this case, it was an issue that was handled responsibly,” Finjans Elbaz said. However, if the attack occurred in the wild, the reverberations for Google and its millions of users could have been severe.
Its not the first time the Web search giant has faced questions about security in its Web-based services. Last December, Google was forced to patch its desktop search tool after two Rice University graduate students discovered a flaw that opened the doors to man-in-the-middle data leak attacks.
Desktop search has emerged as one of the industrys hottest sectors, with Google, Microsoft Corp., Yahoo Inc., America Online Inc. and several startups all jostling for market share. However, experts have warned that the tools are not secure enough to be considered in the enterprise.
Researchers at Gartner Inc. have cautioned businesses against supporting the use of Google Desktop Search because of security and privacy concerns. “[It is] not the proper search tool for businesses right now,” Gartner said in a report.
