Wayne Porter's
Google Open to Frame Injection Attack leads to an interesting report by
Aviv Raff of his discovery over six months ago -- a discovery reported to Google, yet still without response other than they're looking into it:
"You all learned about the value of sharing. When I was a kid my mother taught me that I should share my stuff with my friends. Unfortunately, sharing is not always a good thing. Especially, when talking about sharing web-applications across domains.
Over six months ago I've discovered an interesting, yet troubling, issue - Google.com suffers from a cross-domain web-application sharing security design flaw. There are several Google web applications which are accessible over multiple google.com subdomains. The following are some of those web-applications and subdomains:- Google Maps (maps.google.com)
- Google Mail (mail.google.com)
- Google Images (images.google.com)
- Google News (news.google.com)
- Google.com (Google Search, Google Accounts, Google Apps, Google History, etc.)"
Following the
Proof of Concept by Adrian Pastor and no further response from the Google security team, the decision was made to publish the findings.
References:
Frame Injection Fun
Frame Injection Vulnerabilities
Google Open to Frame Injection Attack
Sharing is not always a good thing
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
Computer security news & information, help, tips and more, licensed under a
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
10-11-2008, 07:20 PM
Linear Mode
Similar Threads