funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Google fixes Buzz's XSS bug

From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Thu, 18 Feb 2010 00:02:15 +0200 (EET)
"Google has fixed a Web flaw that gave hackers a way to take control of Google Buzz accounts.

The flaw was patched late Tuesday, just hours after being disclosed on a Web-hacking blog run by Robert Hansen, CEO of 
SecTheory.

The bug lay in the m.google.com domain used by Google Buzz for mobile, and could have been exploited by
hackers to manipulate other people's Google Buzz accounts.
This type of flaw, known as a cross-site scripting error, is common, but it can have nasty consequences on widely used 
sites such as Google.
In addition to taking control of Buzz accounts, scammers could have leveraged the flaw to create hard-to-detect 
phishing pages that used the Google.com Web domain."
--clip--

http://www.computerworld.com/s/article/9158218/Google_fixes_Buzz_bug

Original vulnerability report:
http://ha.ckers.org/blog/20100216/google-buzz-security-flaw/

Juha-Matti
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: