funsec mailing list archives
Google fixes Buzz's XSS bug
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Thu, 18 Feb 2010 00:02:15 +0200 (EET)
"Google has fixed a Web flaw that gave hackers a way to take control of Google Buzz accounts. The flaw was patched late Tuesday, just hours after being disclosed on a Web-hacking blog run by Robert Hansen, CEO of SecTheory. The bug lay in the m.google.com domain used by Google Buzz for mobile, and could have been exploited by hackers to manipulate other people's Google Buzz accounts. This type of flaw, known as a cross-site scripting error, is common, but it can have nasty consequences on widely used sites such as Google. In addition to taking control of Buzz accounts, scammers could have leveraged the flaw to create hard-to-detect phishing pages that used the Google.com Web domain." --clip-- http://www.computerworld.com/s/article/9158218/Google_fixes_Buzz_bug Original vulnerability report: http://ha.ckers.org/blog/20100216/google-buzz-security-flaw/ Juha-Matti _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Google fixes Buzz's XSS bug Juha-Matti Laurio (Feb 17)