 |
|
| CURRENT SECTION :: News | UK's most visited IT Contractor Site - 250k unique visitors March 2008 |
|
 |
Google has fixed a security hole in Web search that put the search site’s account holders at risk from identity theft. Hackers exploiting the cross-site scripting vulnerability could have taken control of any account-based Google service and inserted fake content on Web search as a precursor to phishing attacks. The theft of personal data was enabled by two Google sub-sites, which did not validate and filter input, meaning a remote attacker could insert fake content and scripts in order to steal victims’ Google cookies. Security experts at Finjan, who detected the threat, said once a user was logged-on to their account, the cookie would help hackers to identify ther victim via Google Groups. Alternatively, malicious amendments could have been made to users’ Froogle wish list or saved Web searches. Saved Google alerts were also at risk from being hijacked, as was the accuracy of information on the company’s website, which could have been jazzed up in a bid to convince searchers’ to download malicious files. Limor Elbaz, vice president at Finjan, described the security hole as inviting a three-pronged attack that would have corrupted Google Accounts, or deceived end users with fake Google information by “downloading malicious content, or providing personal and confidential information.” The security firm’s Malicious Code Research Center said Google reacted “quickly” by fixing the hole, aided by disclosure of full technical details, including proof-of-concept. The vulnerability represents the second warning from security experts in recent months that cyber criminals are defacing or spoofing Google to fund their illegal operations. Oct 12, 2005 Email this article Printer friendly page Previous Page
|
|
  |
||||||||||||||||||||||||
| All content © Contractor UK Limited | http://www.contractoruk.com/lists/?p=subscribe&id=1[Register for News Letter] | [Privacy Statement] | [Terms of Use] | [Top of Page] |