Daily cyber threats and internet security news: network security, online safety and latest security alerts
October 10th, 2008

Another Google Bug Put Users At Phishing Risk Due To Domain Flaw And Frame Injection Possibility

A security expert has demonstrated that Google’s Gmail service suffers from security flaws that make it trivial for attackers to create authentic-looking spoof pages that steal users’ login credentials. Google Calendar and other sensitive Google services are susceptible to similar tampering.

A proof-of-concept (PoC) attack, published by Adrian Pastor of the GNUCitizen ethical hacking collective, exploits a weakness in the domain that allows him to inject third-party content into Google pages. The result is this page, which allowed him to display a fraudulent Gmail login page that displayed in the browser’s address bar.

The attack is another cautionary reminder to designers of websites and software of the importance of fixing vulnerabilities even when they may at first appear inconsequential.

Another weakness was discovered by security researcher Aviv Raff and reported to Google’s security department in April. Raff had noticed a domain-wide design flaw in that allowed maps, calendars, and other applications to be accessed over multiple subdomains. The URL here, which allows Google News to be accessed via the Google Maps subdomain, shows this flaw in action. Other vulnerable Google services include Mail, Images, History, Search, and Apps.

This cross-site scripting (XSS) issue in Google Maps can be exploited to hijack Google, GMail, or Google Apps accounts by bypassing the browser’s Same Origin Policy. In other words, combined with another seemingly inconsequential flaw, it can be enough to steal a Google user’s login credentials and that’s exactly what Pastor did in fashioning his attack. He coupled the web-app sharing flaw with a frame injection vulnerability in Google Images. The result is a spoof page that looks sufficiently authentic to trick a large number of users into giving an attacker their Google account credentials. Closing the cross-domain weakness may not have made Pastor’s attack impossible, but it would probably make it much less powerful or more obvious.

So far Google’s security team was among the more proactive in stamping out bugs that could put their users at risk but in this case Raaf’s report is six months old. Due to recent discoveries and Adrian’s PoC, flaws most likely will be fixed in short order.

Share this item with others:

More on CyberInsecure:
  • Microsoft Discovers Flaw In Google Plug-in For Internet Explorer
  • Royal Bank of Canada Phishing
  • Patch For Android Security Flaw Released By Google And T-Mobile
  • Google Chrome Browser Bug Could Leak Identity of Anonymously Surfing Users
  • Unpatched Vulnerability In Microsoft’s SQL Server

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Another Google Bug Put Users At Phishing Risk Due To Domain Flaw And Frame Injection Possibility

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.