Latest News

Qld paramedics forced to print digital ambulance reports for EDs

Telstra to start fresh three-year transformation from mid-2022

Westpac loses its group head of data and advanced analytics

Big Tech's little mergers draw more US antitrust scrutiny

Domain acquires Insight Data Solutions for up to $159 million

$5k bug bounty paid for Google.com XSS

By SC Australia Staff on Jul 31, 2013 12:29PM

$5k bug bounty paid for Google.com XSS

Google Finance glitch.

Credit: Spagnuolo

Credit: Spagnuolo

Google has paid a researcher $5000 for a cross-site scripting (XSS) vulnerability in the Google domain.

Italian computer engineer Michele Spagnuolo who received the bug bounty said the vulnerability needed no user interaction and was "due to a glitch in Google Finance" related to a JavaScript chart application (finance/f/sfe-opt.js).

"[It tricks] the JavaScript application for plotting charts to load a file hosted on an external domain and eval() its content as Javascript code," Spagnuolo said.

"This exploit does not require any user interaction, it's just a matter of clicking on a URL."

He said the vulnerability was fixed within days and offered steps to reproduce the XSS on his blog.

Cross-site scripting attacks were common and involved malicious scripts injected into web sites. They could occur whereever web applications incorporated user input in generated output without validation.

See OWASP for advice on preventing the attacks.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

bug bounties google security xss

Partner Content

Communication critical to CSV digital transformation, says PwC

Partner Content Communication critical to CSV digital transformation, says PwC

Delivering customer-centric government

Promoted Content Delivering customer-centric government

From 30 people to 6 million: How workplace tech is driving Movember's global community

Promoted Content From 30 people to 6 million: How workplace tech is driving Movember's global community

Rethinking security and access for hybrid work

Partner Content Rethinking security and access for hybrid work

Sponsored Whitepapers

Future of work: Support your distributed HR workforce with digital document processes

Future of work: Support your distributed HR workforce with digital document processes

Develop a resiliency strategy that integrates risk analysis & continuity management

Develop a resiliency strategy that integrates risk analysis & continuity management

IBM Maximo: Manage any asset, anytime, any place with mobile EAM

IBM Maximo: Manage any asset, anytime, any place with mobile EAM

Optimise your operations with APM and AI-Powered insights

Optimise your operations with APM and AI-Powered insights

Forrester Study: Understand the total economic impact of using IBM Cloud Pak™ for Data

Forrester Study: Understand the total economic impact of using IBM Cloud Pak™ for Data

Events

Nutanix .NEXT Conference

Most Read Articles

Westpac replaces branch phone systems with iPhones, Teams Calling

Westpac replaces branch phone systems with iPhones, Teams Calling

Australia Post nears end of massive telco transformation

Australia Post nears end of massive telco transformation

NBN Co to charge free fibre recipients that don't stick with higher speed plans

NBN Co to charge free fibre recipients that don't stick with higher speed plans

Accenture wins contract for passenger declarations platform

Accenture wins contract for passenger declarations platform

Most popular tech stories