Wednesday, April 16, 2008

Google Apps hit by session-stealing attack

A security research worker have uncovered a serious flaw in Google Spreadsheets, which could give an aggressor entree to all of a
user's Google services.

While the bug, an XSS (cross-site scripting) flaw, have now been fixed by Google, it is an indicant of the hazards that can
attach to the growth popularity of SaaS (Software as a Service), according to research worker Truncheon Rios, who uncovered the problem.

Because of the manner Google constructions its hallmark processes, a single XSS onslaught can present entree to all of a user's
Google services and documents, Rios said.

"With this single XSS, I can read your Gmail, backdoor your beginning codification (, steal all your Google Docs, and
basically make whatever I desire on Google as if I were you," he said in a blog post.

The work relied on the manner Internet Explorer finds the content type of waiter responses, ignoring the content-type
heading in certain circumstances. Browsers like Firefox, Opera, and Campaign can be made to share the same behavior, Rios said.

"Developers demand to understand the niceties of how the popular web browsers manage assorted content-type headers, otherwise
they may set their web application at hazard of XSS," he wrote.

To transport out the attack, Rios injected hypertext markup language into the first cell of a table, along with Javascript designed to expose the
user's cookie. IE then rendered the content as HTML, allowing the cooky to be viewed.

The onslaught could be delivered via a nexus to the specially formed spreadsheet, Rios said.

"To be fair, Google included a elusive defence to protect against content-type sniffing (padding the response), but those protection
measurements failed (with a small goad by me)," he wrote.

Rios recently publicized a exposure (also now fixed) in Google Code allowing the larceny of passwords.

Google Apps began as a set of hosted services, but Google this calendar month have begun rolling out offline entree to them, beginning
with the word processor, Google Docs.

Over the adjacent three hebdomads or so, Google will turn on the characteristic for all word processor users, giving them the ability to
see and redact written documents offline. During the same clip period, Google Docs' spreadsheet will derive offline ability for viewing,
but not redaction documents.

Google Docs' 3rd component, an application to do microscope slide presentations, will stay for now without offline access. However,
Google have programs to widen the offline entree to it and to other hosted services in the Google Apps suite, of which Docs is
part. Apps also includes Gmail, Calendar, Talk, and others.

No comments: