Researcher crosses swords with Google over XSS 'flaw'
Bug or feature?
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Google has crossed swords with an independent security researcher who claims that the domain used by Google module applications provides a potential "safe haven" for phishing fraudsters.
Google modules are small web apps (widgets) designed for functions such as displaying weather forecasts or sports scores on a third-party website.
Security researcher Robert Hansen warned Google that fraudsters might be able to create a phishing site on the gmodules domain because a cross site scripting flaw allows the injection of JavaScript.
Because the gmodules domain (gmodules.com) is trusted by phishing filters the flaw poses a greater risk than it might on other domains.
In its response, Google said JavaScript is a supported part of Google modules. Cross-domain protection stops sites on gmodules from been used to steal Google-specific cookies, it adds. "On further review, it turns out that this is not a bug, but instead the expected behavior of this domain," Google's security staffers told Hansen.
Hansen, a critic of Google's security response in general, argues that the search engine giant has missed the point. He posted a demo of cross-site scripting of the gmodules domain to illustrate his concern that Google ought to be worried about risks beyond simple credential (cookie) theft.
The exchange between Hansen and Google has sparked a lively debate on the ha.ckers.otg forum with participants weighing in on both sides of the debate. Some point out that Google has at least mitigated the risk by running modules from the gmodules domain, while others argue that the security policies at the ad brokering giant leave a lot to be desired. ®
COMMENTS
Not all that important
I don't use proprietary more than I have to, and I only use Google to search. I avoid the bloody toolbars everybody has added - there is nothing there for me and I trust no proprietary, closed-source developer more than I absolutely have to.
And yes, I am missing out on Google Maps. I know. Life is a bitch, isn't it ?
Security?
How about when Usenet trolls signed up for Google groups using e-mail addresses like "Spoofed Name <spoofed@address>"<verification@address> . The verification address was a throwaway or hijacked e-mail account used to verify Google Groups signup. The spoofed address was of the victim. The troll would then flood high traffic Usenet groups with massive crap crossposting. Enough Usenet clients directed replies to the spoofed address to cause problems.
And here's the biggest security hole of them all: Google doesn't read abuse complaints. Nothing makes a hacker happier than a big pile of servers running on auto-pilot.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
