Google XSS Vulnerability Cleared

Tuesday, November 13, 2012 @ 05:11 PM gHale


There is a document object model (DOM)-based cross-site scripting (XSS) vulnerability on Google.com, researchers found.

The security hole, found by researchers from Minded Security, ended up discovered with the help of DOMinatorPro — a runtime JavaScript DOM XSS analyzer.

RELATED STORIES
XSS Top Web Attack
Spam Leads to Blackhole Attack
Java SE Zero Day Fix can Wait
New Java Flaw Affects 1 Billion

DOMinatorPro revealed a piece of code in googleadservices.com /pagead/landing.js which used invalidated input to build the argument for two “document.write” calls, the researchers said.

They found the buggy JavaScript ended up utilized by google.com/toolbar/ie/index.html (both HTTP and HTTPS).

“[This] means that one more time a (almost) 3rd party script introduces a flaw in the context of an unaware domain,” Minded Security’s Stefano Di Paola said.

Di Paola suggested one workaround, but Google decided to address this issue by removing the problematic script altogether.

Unlike the traditional XSS vulnerabilities that occur in the server-side code, DOM-based XSS affects the script code in the client’s browser.



Leave a Reply

You must be logged in to post a comment.