TechNews_Bot
Tue 16 January 2007, 01:17 pm GMT +0100
Yet another cross-site scripting issue has cropped up with Google, as their dominant place on the Internet could be starting to draw Microsoft-like attention from malicious hackers.
To read the full article
click hereNikolas
Tue 16 January 2007, 07:52 pm GMT +0100
Interesting read :)
I will not give you details as to how the exploit works until it has been fixed - but I can tell you that it is extremely easy for anyone who knows HTML to exploit
Seems like the google engineers are not SO good after all....
ventureskills
Wed 17 January 2007, 01:01 pm GMT +0100
Cross scripting issues are bound to pop up in web based applications paticularly across a large single sign on system like Google. I'm only suprised it doesn't happen more often. I think part of the problem is the authentication methods google use vary from application, how Google Analytics authenticates users for example appears to be different from how Gmail does.
I think once this is sorted out and they have a common platform these issues should lesson, though its still problamatic in that they actually give out methods and handles to authenticate against google user base to the public.
Nikolas
Wed 17 January 2007, 01:26 pm GMT +0100
It would be reasonable to use web services (SOAP) for that kind of operations, but as they are so vulnerable to XSS attacks it appears that google uses more old fashioned technology, which is also reasonable as the old technologies produce less overhead and for sites with millions of requests every hour this is a significant factor :)