Google fixes critical XSS vulnerability

Google SSL Login XSSAll your accounting data are not belong to us. Hours after a proof of concept example detailing a XSS vulnetability at Google’s account login page was posted at the XSS Project’s clearing house, the company quickly took notice and fixed it.

“Security researcher “Xylitol” is credited with the discovery of this critical bug. In this case, the fact that SSL is being used on the login page, does not necessarily mean that the users’ login information is secured. Malicious people can exploit this Google XSS to propagate malware, spyware, adware and steal authentication credentials.”

Google SSL Login XSSIn October, Google was criticized for not paying attention to an already reported cross domain frame injection vulnerability, prompting the release of a proof of concept example demonstrating how third-party content can be injected within Google pages. Ignoring the endless debate of the pros and cons of full disclosure, responsible disclosure and partial disclosure for a moment, the fact that a large number of already reported vulnerabilities remain unfixed despite the potential for abuse, clearly indicates a company’s commitment — or the lack of.

XSSed is a great open source resource, whose early warning feature and RSS feeds are an invaluable resource that could help the affected sites into prioritizing the fixing of particular flaw that’s now in the public domain, if only were the affected companies to embrace it as such.

[Source: zdnet]