Google's in the XSS Crosshairs - and So Are You

Google's in the XSS Crosshairs - and So Are You

It's a commonplace that online security threats are aimed at the biggest target available. In terms of operating systems, it's still Microsoft. But if you consider how people use the Internet, think G - G for Google, that is.

According to website (motto "biting the hand that feeds IT"), Google's Gmail web-based email, Picasa picture organizer, and embedded search appliance (used in websites that incorporate Google Search) have recently been proven to be vulnerable to exploits using cross site scripting (XSS).

Web Info Pirates Fly the XSS Flag

XSS takes advantage of the fact that JavaScript, HTML, VBScript, ActiveX, and Flash scripts are commonly used in websites. Put simply, an XSS attack (exploit) embeds a malicious script into a dynamic web page. The script captures or manipulates information as the attacker desires. This type of threat isn't new: the FAQ link provided above goes back to 2003. What's scary about XSS exploits is that they threaten the very richness of the Internet. I remember when websites were almost all text with just the occasional photo or drawing. Today's web user wants more - and unfortunately, that makes XSS attacks more common.

What XSS Can Do to You

In the case of the most recent Google XSS problems, XSS vulnerabilities could be used to steal cookies, steal photos from Picasa, contacts from a Gmail account, and redirected Gmail messages to a specified account. Although Google's taken action to block these attacks, this is just the latest round in XSS-based vulnerabilities suffered by Google - and others. For example, the Samy (aka J.S. Spacehero) virus used XSS to infect over a million MySpace users' pages in 2005, and a May 2007 ranking of websites with XSS vulnerabilities (available from this page) lists many major websites, including Flickr, Photobucket, Yahoo! and many others.

Stopping XSS - If You Can

The ultimate solution to XSS vulnerabilities would be to disable all scripts - unfortunately, in today's Internet, such a move would also disable most commercial websites. Boring! So, what else can you do?

If you develop websites for fun or profit, consider scanning them for XSS vulnerabilities, using a tool such as the Web Vulnerability Scanner from Acunetix Ltd (a free version is available) or others. This Google search (ironic, isn't it?) will find more examples.

But, if you're an ordinary web user, not a developer,what are your options (other than disabling scripting, that is)? 

1. If you use browser add-ons or updates to other types of web-enabled products, make sure you install updates as soon as they're available. As with updates for Windows, browser add-on updates are often provided to improve security.

2. Keep in mind that any web-based service can be vulnerable to XSS.

3. XSS vulnerabilities are often cross-browser threats; using Firefox or Opera might not protect you.

4. Most XSS exploits also depend upon old favorites like spoofing or clicking links. As always, think before you click.



+ Add a Comment


If you're a web developer, it's easy  to avoid these kind of attacks.  Just make sure your error pages (404, 500, etc) don't show anything to the user that they might have entered in.  Especially the URL.

For validation errors keep in mind the same thing.  Either escape all the charactors before sending them back, or don't send them back at all. 



not my cookies! anything but the cookies!

Log in to MaximumPC directly or log in using Facebook

Forgot your username or password?
Click here for help.

Login with Facebook
Log in using Facebook to share comments and articles easily with your Facebook feed.