ax3
01-10-2007, 12:35 PM
Three days after ethical hacker Petko Petkov announced his discovery of a cross-site scripting vulnerability in Gmail, Google says it has fixed the problem.
"We worked quickly to address the recently reported vulnerability, and we have rolled out a fix," a Google Australia spokesperson told ZDNet Australia today.
The vulnerability discovered by Petkov, who posted his findings at the GNUCitizen Web site, could potentially allow a attacker to seize control of session cookies if a user clicked on a malicious link while logged into their account.
Under the scenario, an attacker could siphon e-mails from the hacked account to a separate POP account, Chris Gatford, from penetration-testing company Pure Hacking, explained to ZDNet Australia on Wednesday.
"If someone picks up on this before Google fixes it -- or if someone knew of the vulnerability before this guy published it -- this could be very damaging to Gmail users," Gatford said.
However, Google's spokesperson said the search giant had not received any reports of the vulnerability being exploited, and added: "Google takes the security of our users' information very seriously."
Pure Hacking's Gatford said cross-site scripting vulnerabilities are gaining popularity amongst attackers and that many organisations -- including Australian Federal Government departments -- are overlooking the problem.
"In the last year or so, [cross-site scripting vulnerabilities] have been used by attackers to grab cookie values and therefore gain access to normally password protected sites," said Gatford.
Source : http://www.zdnetindia.com/
"We worked quickly to address the recently reported vulnerability, and we have rolled out a fix," a Google Australia spokesperson told ZDNet Australia today.
The vulnerability discovered by Petkov, who posted his findings at the GNUCitizen Web site, could potentially allow a attacker to seize control of session cookies if a user clicked on a malicious link while logged into their account.
Under the scenario, an attacker could siphon e-mails from the hacked account to a separate POP account, Chris Gatford, from penetration-testing company Pure Hacking, explained to ZDNet Australia on Wednesday.
"If someone picks up on this before Google fixes it -- or if someone knew of the vulnerability before this guy published it -- this could be very damaging to Gmail users," Gatford said.
However, Google's spokesperson said the search giant had not received any reports of the vulnerability being exploited, and added: "Google takes the security of our users' information very seriously."
Pure Hacking's Gatford said cross-site scripting vulnerabilities are gaining popularity amongst attackers and that many organisations -- including Australian Federal Government departments -- are overlooking the problem.
"In the last year or so, [cross-site scripting vulnerabilities] have been used by attackers to grab cookie values and therefore gain access to normally password protected sites," said Gatford.
Source : http://www.zdnetindia.com/