Google patches XSS hole in Buzz

Google has fixed a vulnerability that could have allowed an attacker to hijack the accounts of its newest Gmail feature. 

Google Buzz, a social media platform that allows users to share updates, photos and videos with friends, was pushed out to all Gmail users last week. The "Google Buzz for mobile" website suffered from a common web programming error known as cross-site scripting (XSS), which could have allowed an attacker to run malicious JavaScript code on the Google.com domain, Robert Hansen, CEO of security consultancy SecTheory, told SCMagazineUS.com.

“It's a very common flaw,” Hansen said. “Some experts say it's as high as 80 percent of dynamic websites suffer from this vulnerability.”

An XSS vulnerability on a trusted website such as Google could have “catastrophic” effects if exploited, Hansen said. An attacker could have leveraged the flaw to conduct phishing attacks by redirecting users to a fraudulent page that mirrored Google's login page. Or, an attacker could have tricked users into installing malware by disguising it as an update for a Google application.

“It's up to the bad guy's imagination,” Hansen said. “Whatever Google can do, that person could do, and that's unfortunately a lot of stuff.”

A Google spokesman said the issue was fixed hours after it was reported to Google earlier this week.

“We have no indication that the vulnerability was actively abused,” spokesman Jay Nancarrow told SCMagazineUS.com in an email. “We understand the importance of our users' security, and we are committed to further improving the security of Google Buzz.”

The flaw was discovered by a hacker with the alias “TrainReq,” who recently emailed Hansen details about the issue.

XSS has been around as an exploit for about ten years, Hansen said.

But now it is the most widely used way to crack into a web application. XSS ranks as the top programming error that can lead to serious software bugs, according to the Common Weakness Enumeration/SANS Top 25 list, released by MITRE, a nonprofit public interest group.

Last April, Twitter was struck by a XSS worm. The worm spread links to a Twitter copycat site by exploiting a XSS vulnerability and infecting an unknown number of Twitter profiles. Five years ago, a hacker named Samy Kamkar unleashed what is believed to be the first social networking XSS worm across MySpace. The worm was benign but enabled Kamkar to attain more than one million "friends" in 24 hours. He was later sentenced to three years probation and ordered to serve 90 days of community service for the offense.

See original article on scmagazineus.com