Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Google Plugs Security Flaw in AdWords

    By
    Ryan Naraine
    -
    October 10, 2005
    Share
    Facebook
    Twitter
    Linkedin

      Google Inc. has quietly patched a potentially dangerous security flaw in two of its business-facing services after a private security research outfit warned that malicious hackers could exploit the bug to hijack sensitive user information.

      The vulnerability was flagged—and fixed—in the Google AdWords and Google Services subdomains.

      Because both sites use data from the Google Accounts username/password system, security experts said the flaw presented a major identity theft risk.

      The bug was reported to Google by Israeli IT security services firm Finjan Software Ltd. on Sept. 22. Two days later, Google corrected the flaw and made it clear that no user data was compromised.

      “[We were] alerted to this issue a little while ago and we worked quickly to fix the problem, which has now been resolved. No user data was compromised and we applaud Finjan for following industry best practices for vulnerability disclosure,” a Google spokesperson said in a statement.

      /zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

      Limor Elbaz, vice president of business development and strategy at Finjan, said the Google AdWords and Google Services sites contained forms that did not validate and filter input.

      “Due to the lack of data validation and filtering, this vulnerability could have allowed an attacker to inject content and scripts which could allow him to steal the victims cookie,” Elbaz said in an interview with Ziff Davis Internet News.

      Finjan did not release details of the vulnerability beyond a carefully worded press release, but Elbaz said the companys researches provided proof-of-concept exploits to Google to show that the URLs could be manipulated to control a users Google cookie.

      /zimages/6/28571.gifClick here to read about Googles patch for a desktop search flaw.

      “Its a legitimate Google URL with specific parameters. When someone clicks on that link, the attacker can take over the users account,” Elbaz explained.

      She described the issue as a “cross-site scripting vulnerability” that is caused by the lack of data validation and filtering. “[This] could have allowed an attacker to inject content and scripts which could allow him to steal the victims cookie.”

      If the victim clicked on the malicious link while logged in to Google Accounts, the attacker could commandeer the victims cookie and gain access to some of the Google services tied to that account. These services include AdWords, personalized search results, Froogles wish list, Google Alerts or Google Groups.

      Elbaz said the attacker might also have been able to change the content of the Google Web page to launch phishing attacks or even trick the user into downloading Trojans, spyware programs or other malicious files.

      Security researchers have long warned that consolidated user accounts could present a major risk if a single breach occurs, and the latest Finjan findings have underscored the security implications.

      “In this case, it was an issue that was handled responsibly,” Finjans Elbaz said. However, if the attack occurred in the wild, the reverberations for Google and its millions of users could have been severe.

      /zimages/6/28571.gifIs desktop search the ultimate security hole? Click here to read more.

      Its not the first time the Web search giant has faced questions about security in its Web-based services. Last December, Google was forced to patch its desktop search tool after two Rice University graduate students discovered a flaw that opened the doors to man-in-the-middle data leak attacks.

      Desktop search has emerged as one of the industrys hottest sectors, with Google, Microsoft Corp., Yahoo Inc., America Online Inc. and several startups all jostling for market share. However, experts have warned that the tools are not secure enough to be considered in the enterprise.

      Researchers at Gartner Inc. have cautioned businesses against supporting the use of Google Desktop Search because of security and privacy concerns. “[It is] not the proper search tool for businesses right now,” Gartner said in a report.

      /zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×