Google's PHP API client has XSS vulnerability

Patch promised

By Richard Chirgwin


Users of Google's PHP API client: watch out for phishing attacks while Google patches a cross-site scripting (XSS) vulnerability in the code.

The bug, discovered by DefenseCode's Leon Juranic using the company's ThunderScan source code scanner, has been acknowledged by the Chocolate Factory (as a “nice catch”), and a fix is promised.

The basis of the vuln is that if an attacker can get an administrator to “click the link”, they can be send malicious JavaScript, and “the attacker's code will be executed, with unrestricted access to the site in question”.

The library in question is described by Google as a “beta”, but it's been around long enough that there's a well-followed Stackoverflow forum and tutorials about how to use the API and OAuth2 to pull Google data into other projects. The APIs include interfaces to Google+, Drive and YouTube.

The two XSS bugs the post describes are in the $_SERVER['PHP_SELF'] function.

“Once the unsuspecting user has visited such an URL, the attacker can proceed to send requests to the API on the behalf of the victim from his JavaScript”, the post adds. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Tech giants at war: Google pulls plug on YouTube in Amazon kit

You won't sell our stuff? We won't let you watch our vids

Ex-stream action: YouTube slays Zombie horde in AdSense battle

Judge double taps class-action complaint against Google's vid emporium

Facebook, Google, Microsoft, Twitter make it easier to download your info and upload to, er, Facebook, Google, Microsoft, Twitter etc...

GDPR put a gun to their heads

US watchdog just gave up trying to get Google to explain YouTube's huge financial figures

Don't you worry your pretty little heads about it, says web giant

Cisco cancels all YouTube ads, then conceals cancellation

Blog post shamed video vault, has since been ‘reposted as intended'

COPPA load of this FTC complaint: YouTube accused of collecting children's data

Privacy groups allege vid-sharing site slaps trackers on under-13s

YouTube plan to use Wikipedia against crackpots hits snag

The video site neglected to inform Wikipedia that it will be leeching its labor

GitLab's move off Azure to Google cloud totally unrelated to Microsoft's GitHub acquisition. Yep

Source shack says it's chasing reliability and Kubernetes tech

Google pulls Hezbollah YouTube channel after we told them about the drone ads

All the tools you need

Google reveals Edge bug that Microsoft has had trouble fixing

Oh great - because Google's explained how to make Edge run dodgy code