Week in Review - Week Ending 28/09/2007

Date: 28 September 2007 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=8140 We've recently noticed quite a few vulnerabilities reported in Google's various services. With an increasing reliance on Google's web applications, even in the business arena, this may be of concern to AusCERT members. Two vulnerabilities were posted by pdp (the same security researcher who blogged about PDF vulnerabilities last week) who describes a cross site scripting (XSS) vulnerability in Google Urchin and a cross site request forgery (CSRF) vulnerability in GMail which may result in the unauthorised access of the victim's GMail messages. The full details can be found at: http://www.gnucitizen.org/blog/ This site also has some security articles about Google: http://xs-sniper.com/blog/category/security/ This page describes using a flash crossdomain.xml file uploaded to Google Docs to perform a cross domain request to steal the victim's Google credentials (or other Google data). This page also describes a method for stealing images from Google Picasa by inducing the user to click on a malicious link. Users are storing more and more sensitive data on Google's servers and are placing increasing levels of trust in the Google domain. Therefore, XSS and CSRF vulnerabilities in Google are becoming increasingly critical. I also noted an interesting paper on the use and the potential for abuse of gadgets in Windows Vista: http://www.mwrinfosecurity.com/publications/mwri_sidebar-gadgets_2007-09-25.pdf This gives a very nice introduction to gadgets and then continues to discuss some potential abuse and countermeasures for abuse of this technology. Regards, Rob.