HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-50
Cross-Site Scripting (XSS) Vulnerabilities in Google

Original issue date: September 27, 2007
Updated: October 08, 2007

Severity Rating: High

Applications Affected in Google

  • Gmail
  • Google Search Appliance
  • Google (Blogspot) Polls Application
  • Google's Picasa photo-sharing software
  • Google's Urchin Analytics service

Overview

Multiple vulnerabilities have been reported in a wide range of Google products such as Google Search Appliance, Google (Blogspot) Polls Application, Google's Picasa photo-sharing software, Google's Urchin Analytics service, including a persistent e-mail theft issue affecting the widely used GMail service.

Description

What is Cross-site Scripting?

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website.

1. Cross-site request forgery (CSRF) Vulnerability in Gmail

Cross-site vulnerability has been reported in Gmail service of Google.The vulnerability can be exploited by an attacker by convincing the user to visit a malicious website while being logged into GMail. When the user visits a malicious page the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim's filter list. After successful exploitation of the vulnerability, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their email address of their choice. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

Mitigation

  • Users should be selective about how they initially visit a web site. Don't click links on untrusted web pages or in unsolicited emails.
  • Disable all scripting languages in web browsers.
  • Check out your filter list in gmail settings for any unwanted filters.
  • Users should especially safeguard their browsers by installing patches for their browser in a timely manner.

Note: It has been reported that Google has issued patch to address this vulnerability.

2. Cross-site scripting Vulnerability in Google Search Appliance.

Cross-site vulnerability has been reported in Google Search Appliance. Webmasters can do scraping and other types of internal searches using Google Search Appliance. The vulnerability can be exploited by an attacker in Google Search Appliance by creating a specially crafted URL and convince the user to visit that URL. After successful exploitation of the vulnerability, an attacker can inject code or overwrite pages of a third-party site that uses the appliance. Attack scenarios include the stealing of cookies used to log in to the third-party site or the alternation of a trusted site so it prompts an unsuspecting user for personal information and then transmits it to the attacker. All the websites uses Google Search Appliance are currently vulnerable.

Mitigation

  • Web administrators may completely disable Google Search Application until Google issue a patch to resolve this vulnerability.
  • Users should be selective about how they initially visit a web site. Don't click links on untrusted web pages or in unsolicited emails
  • Disable all scripting languages in web browsers.
  • Users should especially safeguard their browsers by installing patches for their browser in a timely manner.
  • It has been reported that Google has issued patch to address this vulnerability. Customers may apply the patch available here (requires login): https://support.google.com

3. Cross-site scripting Vulnerability in Google (Blogspot) Polls Application

Cross-site vulnerability has been reported in Google's Blogspot Polls which could allow the hijacking of sensitive information. The vulnerability in Google's Blogspot Polls exists due to improper input validation while passing ‘font' parameter before being used inside an STYLE tag. After successful exploitation of the vulnerability, the attacker could inject IE's expression () and Mozilla's -moz-binding.

Mitigation

  • Users should be selective about how they initially visit a web site. Don't click links on untrusted web pages or in unsolicited emails.
  • Disable all scripting languages in web browsers.
  • Users should especially safeguard their browsers by installing patches for their browser in a timely manner.

4. Cross-site scripting Vulnerability in Google's Picasa photo-sharing software

A combination of cross-site scripting, cross-application request forgery and URI handler weakness exists in Google's Picasa photo-sharing software and Web service. the vulnerability could be exploited by attacker by luring a user to a malicious website. After successful exploitation of the vulnerability, an attacker can steal photographs from the victim's hard drive.

Mitigation

  • Users should be selective about how they initially visit a web site. Don't click links on untrusted web pages or in unsolicited emails.
  • Disable all scripting languages in web browsers.
  • Users should especially safeguard their browsers by installing patches for their browser in a timely manner.

5. Cross-site scripting Vulnerability in Google's Urchin Analytics service

There's a cross-site scripting vulnerability in Google's Urchin Analytics service that can be exploited by an attacker to steal user credentials. There is a trivially exploitable cross -site scripting vulnerability on Google Urchin Web Analytics 5's login page. The vulnerability has been tested on versions 5.6.00r2, v5.7.01, 5.7.02 and 5.7.03 (latest). After successful exploitation of the vulnerability, the attacker could steal the user credentials.

Mitigation

  • Users should be selective about how they initially visit a web site. Don't click links on untrusted web pages or in unsolicited emails.
  • Disable all scripting languages in web browsers.
  • Users should especially safeguard their browsers by installing patches for their browser in a timely manner.

References

http://www.theregister.com/2007/09/24/google_vulns_put_users_at_risk/ http://blogs.zdnet.com/security/?p=539 http://www.gnucitizen.org/blog/google-urchin-password-theft-madness http://www.cpni.gov.uk/Products/3402.aspx
http://secunia.com/advisories/26946/

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003