Google's cookie crumbles under scripting attack
Taking the biscuit
Security researchers have unpicked a flaw in Google spreadsheets that allows cookie stealing. The cross-site scripting vulnerability enables attackers to use stolen cookies to access any Google service a user has registered, including accessing a victim's Google mail account.
Google has now plugged the vulnerability, discovered by security researcher Billy Rios. In a blog posting, Rios explains a caching flaw by Google, alongside problems in how browsers handle content-type headers, created a cookie stealing risk. A Google cookie is valid across all its sub domains, a convenience factor that greatly enhances the potential for mischief.
This particular XSS vulnerability on Google's domain takes advantage of how IE determines the content type of the HTTP response being returned by the server. Other browsers have problems in handling content-type headers properly, but this vulnerability is limited to IE.
Anyone viewing this doctored spreadsheet would hand over their cookies to Rios, or potentially an attacker, as explained here. Fortunately, Google has now rendered crafted table content as text rather than HTML.
Rios has been active in identifying XSS flaws in Google's web applications. Last week, he published an advisory about a flaw in Google code that lent itself to stealing users' passwords. Prior to that, Rios uncovered vulnerabilities in Google's Picasa, Heise Security adds. ®
Actually, MS only guess the content-type if it is not sent by the webserver, or if it is one of 26 "known" types.
Why? Well, that's more infinite wisdom from Microsoft, in order to "make it easier for an average Joe to put up a personal website without worrying about mimetype details"
It's a shame that Gupta doesn't recognise that most websites are put up by professionals*, and that their perhaps well intentioned code is a frigging nightmare at times. "Asking everybody to fix their servers" is precisely what they should do. We expect Microsoft to fix their software, adhere to standards, &c, and they have a right, nay duty, to expect the same in return.
* Insert some reference to professionals using apache and amateurs using IIS here
("infinite wisdom" is a registered trademark of Microsoft Corporation ... well, probably)
Compensating the security experts
The thing that bothers me about this is the expert's motivation. I really hope he is fully and adequately compensated for doing the right thing. What happens if some other security expert finds himself on the edge of starvation, and there he is with a security hole of high value to some criminal organization?
Not IE again!
Will someone at Microsoft please be so kind as to stop IE from guessing the content type?
The web server sends it correctly and then IE ignores it.