01:25 PM
Connect Directly

Google Plugs Cross-Scripting Security Hole

The bug could have allowed attackers to grab a Google user's cookie.

Google has fixed a cross-scripting flaw that opened user accounts to hijacking, the search giant confirmed Monday.

According to San Jose, Calif.-based security vendor Finjan Software, the bug in two unnamed Google sub-sites could have allowed attackers to grab a Google user's cookie. If the user was currently logged on with their Google account -- necessary to use Google's Gmail and new RSS Reader, for instance -- the stolen cookie would have let the attacker access some Google services, including viewing the user's saved searches or alerts, and/or use their identity in Google Groups.

"The cross site scripting vulnerability could have allowed a remote attacker to take over victims’ Google Accounts, or fake the site’s content in order to deceive end users into downloading malicious content or providing personal and confidential information," said Limor Elbaz, Finjan's vice president of business development, in a statement.

Finjan said that it informed Google of the vulnerability in late September, and provided the search giant with proof-of-concept code.

Google has since fixed the flaw. "Google was alerted to this issue…and we worked quickly to fix the problem, which has now been resolved," a Google spokesperson said in an e-mailed statement.

Google also said that it believed no user data was compromised.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.