Google patches XSS hole in its Buzz social media platformGoogle on Tuesday fixed a vulnerability that could have allowed an attacker to hijack the accounts of its newest Gmail feature.
“It's a very common flaw,” Hansen said. “Some experts say it's as high as 80 percent of dynamic websites suffer from this vulnerability.”
An XSS vulnerability on a trusted website such as Google could have “catastrophic” effects if exploited, Hansen said. An attacker could have leveraged the flaw to conduct phishing attacks by redirecting users to a fraudulent page that mirrored Google's login page. Or, an attacker could have tricked users into installing malware by disguising it as an update for a Google application.
“It's up to the bad guy's imagination,” Hansen said. “Whatever Google can do, that person could do, and that's unfortunately a lot of stuff.”
A Google spokesman said the issue was fixed hours after it was reported to Google on Tuesday.
“We have no indication that the vulnerability was actively abused,” spokesman Jay Nancarrow told SCMagazineUS.com in an email Wednesday. “We understand the importance of our users' security, and we are committed to further improving the security of Google Buzz.”
The flaw was discovered by a hacker with the alias “TrainReq,” who recently emailed Hansen details about the issue.
XSS has been around as an exploit for about ten years, Hansen said.
But now it is the most widely used way to crack into a web application. XSS ranks as the top programming error that can lead to serious software bugs, according to the Common Weakness Enumeration/SANS Top 25 list, released Tuesday by MITRE, a nonprofit public interest group.
Last April, Twitter was struck by a XSS worm. The worm spread links to a Twitter copycat site by exploiting a XSS vulnerability and infecting an unknown number of Twitter profiles. Five years ago, a hacker named Samy Kamkar unleashed what is believed to be the first social networking XSS worm across MySpace. The worm was benign but enabled Kamkar to attain more than one million "friends" in 24 hours. He later was sentenced to three years probation and ordered to serve 90 days of community service for the offense.