[ISN] Google fixes security hole

InfoSec News isn at c4i.org
Thu Oct 21 04:11:39 EDT 2004


By Stefanie Olsen 
Staff Writer, CNET News.com
October 20, 2004

Google on Thursday fixed a security flaw in its Web search service
that could have allowed malicious hackers to modify its pages.

According to a report posted to the Bugtraq Security Focus list on
Wednesday, Google's new Desktop Search tool did not prevent a hacker
from inserting JavaScript, a programming language, into the Web
address of its page image, or logo. That vulnerability could have
allowed any rogue third party to change the appearance of Google's Web
page to ask for personal data such as credit card numbers from its
visitors, what's known as a phishing scam, according to the warning.

Mountain View, Calif.-based Google said it has fixed the problem.

"Google was recently alerted to a potential security vulnerability
affecting users of our Web site," a company representative said. "We
have since fixed this vulnerability, and all current and future
Google.com users are protected."

The warning came only a week after Google released its newest Web
search product--a tool to search the files on a PC alongside Web
pages. Security experts have scrutinized the technology, with some
interesting finds. Last week, security consultant Richard Smith found
clues that could point to a coming instant chat client from the search

Jim Ley, who runs a Web log, posted the warning about Google's
script-insertion flaw, which he said has affected Google's main site
for as long as two years. But with the addition of Google Desktop, the
flaw became more serious, he said, because "it places the results of a
desktop search into the output of a regular Google search." He said
that the flaw could have allowed third parties to make a record of all
the searches people make.

The flaw primarily had affected people using Microsoft's Internet
Explorer Web browser, Ley said.

More information about the ISN mailing list