Google's PHP API client has XSS vulnerability

Patch promised

By Richard Chirgwin

Posted in Security, 12th May 2017 03:56 GMT

Users of Google's PHP API client: watch out for phishing attacks while Google patches a cross-site scripting (XSS) vulnerability in the code.

The bug, discovered by DefenseCode's Leon Juranic using the company's ThunderScan source code scanner, has been acknowledged by the Chocolate Factory (as a “nice catch”), and a fix is promised.

The basis of the vuln is that if an attacker can get an administrator to “click the link”, they can be send malicious JavaScript, and “the attacker's code will be executed, with unrestricted access to the site in question”.

The library in question is described by Google as a “beta”, but it's been around long enough that there's a well-followed Stackoverflow forum and tutorials about how to use the API and OAuth2 to pull Google data into other projects. The APIs include interfaces to Google+, Drive and YouTube.

The two XSS bugs the post describes are in the $_SERVER['PHP_SELF'] function.

“Once the unsuspecting user has visited such an URL, the attacker can proceed to send requests to the API on the behalf of the victim from his JavaScript”, the post adds. ®

Sign up to our NewsletterGet IT in your inbox daily

2 Comments

More from The Register

Bing fling sting: Apple dumps Microsoft search engine for Google

Safari, Spotlight to be powered by the Chocolate Factory

Microsoft Edge shock: Browser opts for Apple WebKit, Google Blink

On iOS and Android, cough

Windows Store nixed Google Chrome 'app' hours after it went live

Installer merely redirected to the official source

Microsoft: We beat Google, AWS to cloudy GPU VMs in Blighty

Now you can shave a few milliseconds from real-time apps and, er, batch processing

Google bellows bug news after Microsoft sails past fix deadline

Mess in Windows graphics library can give bad hombres access to memory

Google isn't saying Microsoft security sucks but Chrome for Windows has its own antivirus

ESET scanning engine now built in – plus other defenses

Google's Project Zero reveals another Microsoft flaw

Edge, IE can find themselves running unexpected code if cooked by a malicious site

Google, Microsoft bump bug bounties

Googles' rise is permanent, Microsoft wants you to give Office 365 a beating

US judges say you can Google Google, but you can't google Google

The Chocolate Factory is spared the aspirin treatment by the 9th Circuit Court

'Don't Google Google, Googling Google is wrong', says Google

Chocolate Factory unwraps developer style guide, squibs the thorny ISO date debate