Yet another cross-site scripting issue has cropped up with Google, as their dominant place on the Internet could be starting to draw Microsoft-like attention from malicious hackers.
Even though Google seemingly has a license to print money with its lucrative search advertising business, it isn’t time to start minting coins with a motto of “In Google We Trust.” Curious explorations of the code for their web-based services have been revealing some scary potential within them.
Garett Rogers posted at his Googling Google blog how another cross-site scripting issue with Google has been discovered. This would be the third such problem found in the past few weeks.
“I will not give you details as to how the exploit works until it has been fixed – but I can tell you that it is extremely easy for anyone who knows HTML to exploit,” he wrote.
Google has been quick to patch these flaws when identified. The nature of this one has Rogers advising people to completely log out of their Google Accounts while surfing the web.
That’s the kind of advice Google will not enjoy hearing, even though it is appropriate to the threat involved here. Building trust among their users takes a hit when someone has to log out of a service like Gmail or Google Reader, to say nothing of Google’s profitable AdWords clients.
Rogers wrote of the vulnerability and noted that “another XSS vulnerability that easily and without the victim’s consent can steal cookies and hijack your Google account.” Imagine the chatter on the blogosphere if someone who profits nicely from AdSense discovered a criminal changed the name and address of the payee account, and got a revenue check redirected by exploiting a cross-site flaw.
The trio of exploits that have been revealed were all found by people who were more interested in seeing them fixed. Those with a more criminal bent won’t be so quick to drop Google a note about security issues. If criminals step up their attacks on Google, will 2007 be the year people lose their trust in their services?
—
Tag:
Add to 
Bookmark Murdok: 
David Utter is a staff writer for Murdok covering technology and business.
