Malware, Phishing, Threat Management, Vulnerability Management

Google patches XSS hole in its Buzz social media platform

Google on Tuesday fixed a vulnerability that could have allowed an attacker to hijack the accounts of its newest Gmail feature. 

Google Buzz, a social media platform that allows users to share updates, photos and videos with friends, was pushed out to all Gmail users last week. The "Google Buzz for mobile" website suffered from a common web programming error known as cross-site scripting (XSS), which could have allowed an attacker to run malicious JavaScript code on the domain, Robert Hansen, CEO of security consultancy SecTheory, who first reported the issue, told on Wednesday.

“It's a very common flaw,” Hansen said. “Some experts say it's as high as 80 percent of dynamic websites suffer from this vulnerability.”

An XSS vulnerability on a trusted website such as Google could have “catastrophic” effects if exploited, Hansen said. An attacker could have leveraged the flaw to conduct phishing attacks by redirecting users to a fraudulent page that mirrored Google's login page. Or, an attacker could have tricked users into installing malware by disguising it as an update for a Google application.

“It's up to the bad guy's imagination,” Hansen said. “Whatever Google can do, that person could do, and that's unfortunately a lot of stuff.”

A Google spokesman said the issue was fixed hours after it was reported to Google on Tuesday.

“We have no indication that the vulnerability was actively abused,” spokesman Jay Nancarrow told in an email Wednesday. “We understand the importance of our users' security, and we are committed to further improving the security of Google Buzz.”

The flaw was discovered by a hacker with the alias “TrainReq,” who recently emailed Hansen details about the issue.

XSS has been around as an exploit for about ten years, Hansen said.

But now it is the most widely used way to crack into a web application. XSS ranks as the top programming error that can lead to serious software bugs, according to the Common Weakness Enumeration/SANS Top 25 list, released Tuesday by MITRE, a nonprofit public interest group.

Last April, Twitter was struck by a XSS worm. The worm spread links to a Twitter copycat site by exploiting a XSS vulnerability and infecting an unknown number of Twitter profiles. Five years ago, a hacker named Samy Kamkar unleashed what is believed to be the first social networking XSS worm across MySpace. The worm was benign but enabled Kamkar to attain more than one million "friends" in 24 hours. He later was sentenced to three years probation and ordered to serve 90 days of community service for the offense.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.