Major Froogle/Google/Groups/Gmail Security Bug found

Forum Moderators: open

Message Too Old, No Replies

Major Froogle/Google/Groups/Gmail Security Bug found

Brett_Tabke

4:34 pm on Jan 14, 2005 (gmt 0)

If you can read Hebrew, you can read the details here:

[ynet.co.il...]

If you can't, you can read the interp report here:

[aviransplace.com...]

By embedding JavaScript in a URL pointing to Froogle, a hacker can gain access to the user’s Gmail account. The JavaScript redirects the browser to a malicious web site, where the hacker can read the user’s cookie, which contains personal information, such as purchase history, user name and password for Google services.

This, the same day that they fixed another Gmail bug:
[computerworld.com...]

Powdork

6:18 pm on Jan 14, 2005 (gmt 0)

Is there any way folks could get hold of adsense or adwords passwords this way?

paladin

7:22 pm on Jan 14, 2005 (gmt 0)

Hey Brett,
As an FYI - that page in Hebrew is just a login page, not the actual article. That newspaper changed their site to subscription based a few years ago.

Alon

Yelled_Boy

7:31 am on Jan 15, 2005 (gmt 0)

The ynet article also states that this kind of flaw, although not trivial to perform, is present in many major sites, and that users should be aware of any comparison sites using URL referrals with your proprietary user ID or account ID stringed to it.

Ron

webnewton

7:45 am on Jan 15, 2005 (gmt 0)

[slashdot.org...]

Has been fixed.

Powdork

7:59 am on Jan 15, 2005 (gmt 0)

Has been fixed.

Did you read all of Brett's initial post?

emoshe

10:15 am on Jan 15, 2005 (gmt 0)

Well actually Ynet is still free for Israeli users, however, worldwide IPs has to subscribe. Just confirmed that with a proxy server.

Eyal

robster124

2:25 am on Jan 20, 2005 (gmt 0)

Why on earth is this reported in Hebrew - only Jews can read Hebrew

walkman

2:32 am on Jan 20, 2005 (gmt 0)

"Why on earth is this reported in Hebrew - only Jews can read Hebrew"

That's the language they write on their site. Anyone really interested (like Google) will find a Jew to translate it.

mattglet

2:53 am on Jan 20, 2005 (gmt 0)

...only Jews can read Hebrew

Jews aren't the only people that can read Hebrew.

AAnnAArchy

2:59 am on Jan 20, 2005 (gmt 0)

And some Jews (okay, LOTS of us) can't read Hebrew. But anyway, lots of high tech people are Israeli, so it stands to reason that some breaking stories will come out of Israel, and they won't be packaged all nice and tidy for Americans.

paladin

3:29 am on Jan 20, 2005 (gmt 0)

For those complaining that they can't read Hebrew, remember...there are Jews/Israelis that cannot read English. So for them the only way to post/read this information is in Hebrew.

rocknbil

5:22 pm on Jan 20, 2005 (gmt 0)

Edit: wrong thread, apologies all, been working too hard and late. :-)

[edited by: rocknbil at 5:49 pm (utc) on Jan. 20, 2005]

walkman

5:34 pm on Jan 20, 2005 (gmt 0)

I posted this of Foo yesterday. [webmasterworld.com...]

"It wasn't yesterday, in fact this worm may have been around for months and it's just not being recognized by virus software. It apparently can even operate users' connected webcams - the perpetrator was arrested while spying on several remote comps this way. If true, this is big."

2by4

7:06 pm on Jan 20, 2005 (gmt 0)

And here's the kicker, apparently although the bug has been fixed, all compromised accounts, even if the user changes their password, are still open to the crackers.

Now imagine that scenario when the next desktop search hole is found and you'll start understanding why desktop search is possibly one of the very worst ideas ever to come up, about as bad as linking IE to the guts of Windows through active x etc. Some ideas are just intrinsically bad.