XSS flaw found in the Google’s PHP API enables phishing attacks

According to a posting on, during the security audit of google-api-php-client (Google's PHP client library for accessing Google APIs) multiple XSS vulnerabilities were discovered by a team at DefenseCode using its ThunderScan SAST application source code security analysis platform.

These flaws were found in the sample code for using the Google's URL Shortener. Researchers said that the Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code.

“If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum,” said the researchers.

Once the unsuspecting user has visited such an URL, the attacker can proceed to send requests to the API on the behalf of the victim from his JavaScript.

According to the DefenseCode advisory, Google is expected to resolve security issues in the next release. “All users are strongly advised to update google-api-php-client to the latest available version when the vulnerabilities get fixed,” said the advisory.

Mark James, IT security specialist at ESET, told SC Media UK that any cross-site scripting vulnerability is potentially bad.

“If left unpatched or resolved it could enable an attacker to execute code that should not normally be executed with potential access rights they would not normally have,” he said. “An attacker could use JavaScript code to execute other code or steal information that could grant them unrestricted access to the site in question. This could lead to a malware attack or credential stealing.”

He added that the best way to stay protected is to have a multi-layered approach. Keep your operating systems up to date and fully patched and use the latest versions where possible. “Also, it is important to have a good, regular updating internet security product and ensure you use unique, complex passwords where possible or consider password managers and two-factor authentication.”

Martin Ellis, security consultant, at SureCloud, told SC Media UK that organisations need to ensure that all user controllable inputs are properly encoded. “It is possible to fully mitigate against XSS attacks by correctly encoding user input. Regular code review, both manual and with the use of automated tools can help to find these types of vulnerability,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.