Google Inc. has quietly patched a potentially dangerous security flaw in two of its business-facing services after a private security research outfit warned that malicious hackers could exploit the bug to hijack sensitive user information.
The vulnerability was flagged—and fixed—in the Google AdWords and Google Services sub-domains. Because both sites use data from the Google Accounts username/password system, security experts said the flaw presented a major identity theft risk.
The flaw, known as a cross-site scripting vulnerability, existed on the Web site for Google’s AdWords advertising program and a customer training site, according to security company Finjan Software, which discovered the problem.
We were alerted to this issue a little while ago and we worked quickly to fix the problem, which has now been resolved. No user data was compromised and we applaud Finjan for following industry best practices for vulnerability disclosure, a Google spokesperson said in a statement.
Attackers could have exploited the flaw to hijack Google accounts, launch phishing scams or even download malicious code onto users’ computers, according to Finjan. Phishing scams are designed to trick people into giving up sensitive information such as user names, passwords, credit card details and Social Security numbers.
Limor Elbaz, vice president of business development and strategy at Finjan, said the Google AdWords and Google Services sites contained forms that did not validate and filter input.
Finjan did not release details of the vulnerability beyond a carefully worded press release, but Elbaz said the company’s researches provided proof-of-concept exploits to Google to show that the URLs could be manipulated to control a user’s Google cookie.
It is a legitimate Google URL with specific parameters. When someone clicks on that link, the attacker can take over the user’s account, Elbaz explained.
Cross-site scripting flaws are found regularly. Earlier this year, Finjan spotted a similar bug in Microsoft’s Xbox 360 Web site. The company earlier identified holes in Yahoo’s Web-based e-mail service.
Finjan, which sells products to protect corporate systems against Web-based attacks, has tools to scan Web sites for vulnerabilities. The company regularly puts popular Web sites to the test. "We do this to encourage vendors to improve their products," Elbaz said.
With the cross-site scripting flaw fixed, Google’s Web site is now deemed secure by Finjan. We found that the rest of the Web site is not vulnerable, at least to the cross-site scripting vulnerabilities, Elbaz said. We will keep following the site.
Earlier this year a security flaw in Google’s e-mail service, Gmail, was identified and fixed. The flaw could have allowed attackers to hijack Gmail users’ in-boxes.