Google's PHP API client has XSS vulnerability

Patch promised

By Richard Chirgwin


Users of Google's PHP API client: watch out for phishing attacks while Google patches a cross-site scripting (XSS) vulnerability in the code.

The bug, discovered by DefenseCode's Leon Juranic using the company's ThunderScan source code scanner, has been acknowledged by the Chocolate Factory (as a “nice catch”), and a fix is promised.

The basis of the vuln is that if an attacker can get an administrator to “click the link”, they can be send malicious JavaScript, and “the attacker's code will be executed, with unrestricted access to the site in question”.

The library in question is described by Google as a “beta”, but it's been around long enough that there's a well-followed Stackoverflow forum and tutorials about how to use the API and OAuth2 to pull Google data into other projects. The APIs include interfaces to Google+, Drive and YouTube.

The two XSS bugs the post describes are in the $_SERVER['PHP_SELF'] function.

“Once the unsuspecting user has visited such an URL, the attacker can proceed to send requests to the API on the behalf of the victim from his JavaScript”, the post adds. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

It's official. Microsoft pushes Google over the Edge, shifts browser to Chromium engine

Cutting Edge technology, literally

The fastest, most secure browser? Microsoft Edge apparently

Well, in one respect anyway

Wanna break Microsoft's Edge browser? Google's explained how

JavaScript just-in-time compilation and some memory meddling make a mess

Microsoft Edge shock: Browser opts for Apple WebKit, Google Blink

On iOS and Android, cough

Chrome sends old Macs on permanent Safari: Browser bricks itself

Google puts Mavericks on a cargo plane outta Hong Kong

Is Google purposefully breaking Microsoft, Apple browsers on its websites? Some insiders are confident it is

Analysis Google's doing to Microsoft what Microsoft did to everyone in the 1990s... allegedly, cough

It's November 2018, and Microsoft's super-secure Edge browser can be pwned eight different ways by a web page

Look, we're tired of doing these headlines too, but there's patching to do

So Brave: Browser biz sics Brit watchdogs on Google's info slurpage

Software maker and allies demand regulatory strike on behavioral advertising

50 ways to leave your lover, but four to sniff browser history

Vulnerabilities that expose browsing history yet to be fixed

Microsoft won't patch Edge browser content security bypass

Tells Cisco's Talos it's a feature, not a bug. Apple and Google disagree and fixed it