Feeds

Cookie monster menaces Google

Search giant battles brace of bugs

Top three mobile application threats

Google has fixed a security vulnerability that created a means for hackers to swipe users' cookie data, days after plugging a separate hole carrying much the same risks.

Both bugs meant attackers could modify Google documents, view the email subject lines and initial word (but not the full contents) of messages to Gmail and users' search history (proving personalised search had been enabled). Attacks based on a cross-site scripting bug (the latest of the two flaws) were possible thanks to inadequate defences against HTML injections, creating a means to write potentially malicious code that extracts cookie data.

The attack mechanism works by tricking surfers into visiting a site controlled by hackers and relies on users' being logged into one or other of Google's growing number of services at the time. Google fixed the flaw on Tuesday, soon after been warned over the vulnerability.

Only last week Google fixed a flaw that carried the same risks even though it stemmed from a different problem. Google watchers at GoogleBlogoscoped were able to create a page on a Google domain. Using this page, which they shouldn't have been allowed to create, and a few lines of code, cookie details of visiting surfers might be captured.

The bug arose because a new service from Google, called Blogger's Custom Domain, allows any domain to be used whether or not a user owned the domain. Publishing a domain set to point at a Google domain thereby enabled potential exploits, as explained here.

Google has since fixed the problem but the appearance of two similar problems just days apart raises questions about the overall security of Google's services. ®

Combat fraud and increase customer satisfaction

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.