Google Apps hit by session-stealing attack

Started by VelMurugan, Apr 18, 2008, 02:18 AM

previous topic - next topic
Go Down

VelMurugan

Google Apps hit by session-stealing attack

A security researcher has uncovered a serious flaw in Google Spreadsheets, which could give an attacker access to all of a user's Google services.

While the bug, a cross-site scripting (XSS) flaw, has now been fixed by Google, it is an indication of the perils that can accompany the growing popularity of Software as a Service (SaaS), according to researcher Billy Rios, who uncovered the problem.

Because of the way Google structures its authentication processes, a single XSS attack can deliver access to all of a user's Google services and documents, Rios said.

"With this single XSS, I can read your Gmail, backdoor your source code (code.google.com), steal all your Google Docs, and basically do whatever I want on Google as if I were you," he said in a blog post.

The exploit relied on the way Internet Explorer determines the content type of server responses, ignoring the content-type header in certain circumstances. Browsers such as Firefox, Opera and Safari can be made to share the same behaviour, Rios said.

"Developers need to understand the nuances of how the popular web browsers handle various content-type headers, otherwise they may put their web application at risk of XSS," he wrote.

To carry out the attack, Rios injected HTML into the first cell of a table, along with Javascript designed to display the user's cookie. IE then rendered the content as HTML, allowing the cookie to be viewed.

The attack could be delivered via a link to the specially formed spreadsheet, Rios said.

"To be fair, Google included a subtle defence to protect against content-type sniffing (padding the response), but those protection measures failed (with a little prodding by me)," he wrote.

Rios recently publicised a vulnerability (also now fixed) in Google Code allowing the theft of passwords.

Google Apps began as a set of hosted services, but Google this month has begun rolling out offline access to them, beginning with the word processor, Google Docs.

Over the next three weeks or so, Google will turn on the feature for all word processor users, giving them the ability to view and edit documents offline. During the same time period, Google Docs' spreadsheet will gain offline ability for viewing, but not editing documents.

Google Docs' third component, an application to make slide presentations, will remain for now without offline access. However, Google has plans to extend the offline access to it and to other hosted services in the Google Apps suite, of which Docs is part. Apps also includes Gmail, Calendar, Talk and others.

Source : Techworld

Go Up
 

Quick Reply

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Warning: this topic has not been posted in for at least 120 days.
Unless you're sure you want to reply, please consider starting a new topic.

Note: this post will not display until it's been approved by a moderator.
Name:
Email:
Verification:
Please leave this box empty:

Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:

shortcuts: alt+s submit/post or alt+p preview
IT Acumens Web Designing Chennai | GinGly :: Build your Personal Website | CineBuzz :: Cinema News | My Kids Diary :: Gift your Kids Memories :: Book Website @ 349 Rs monthly
Copyright 2005 - 2021 :: IT Acumens :: All Rights Reserved. :: XML Sitemap
ITAcumens Discussion Forum with 2 lakhs post running for 15 years - Powered by IT Acumens Pro Dedicated Server

My Kids Diary