Python XSS flaw left Google open to attackers

A security researcher reveals how a scripting flaw left many Google services open to an attacker.

Google recently fixed a cross-site scripting vulnerability that could have allowed an attacker to take over a number of its services.

According to researcher Inferno' on Securethoughts.com, the vulnerability in Google's Support Python Script could have allowed an intruder to transfer a user's Google.com cookie to a malicious site.

This means that an attacker would have a user's Google.com domain cookie, which is the single sign-On cookie to all Google services.

A criminal could have had access to Google Mail, Contacts, Google Docs, Code, Sites, website analytics as well as be able to install malicious widgets in an iGoogle homepage.

However rather than publish the vulnerability, Inferno reported it straight to Google, which responded within the hour and fixed the flaw after a little more than two weeks.

Inferno said on the blog: "I believe in responsible disclosure, so I waited for this vulnerability to be fixed completely."

Inferno said that the time Google took to fix the flaw was due to vulnerable python script being used in lots of places.

A Google spokesperson said: "We immediately investigated this issue after it was privately reported to us, and we resolved it prior to publication. We take the security of our users very seriously."

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Bank-targeting malware disguises itself as video conferencing software
Security

Bank-targeting malware disguises itself as video conferencing software

19 Oct 2020
What is shoulder surfing?
Security

What is shoulder surfing?

19 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020
Microsoft releases two emergency Windows patches
Security

Microsoft releases two emergency Windows patches

19 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
iPhone 12 lineup official with A14 Bionic chip and 5G support
Mobile Phones

iPhone 12 lineup official with A14 Bionic chip and 5G support

13 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020