Cross-site scripting vulnerability found on Google's French website

Sacre Bleu!: A type of XSS vulnerability has been discovered in the French version of Google

The flaw could enable attacker to send malicious code to victims
The flaw could enable attacker to send malicious code to victims

A security researcher has discovered a flaw on Google's main French domain, www.google.fr, that would have allowed hackers to malicious code, usually in the form of Javascript, to another user.

According to Issam Rabhi, a researcher with French security firm Sysdream, said that exploiting the flaw may lead to private information compromise, cookie theft or even browser take over.

In a blog post, Rahbi posted the proof-of-concept detailing how an attack could take place using a carefully crafted link and then inserting the payload into the input field related to search. This resulted in an alert message popping up on the screen.

Rahbi said he contacted Google on 5 August with Google responding “nice catch!” the flaw was fixed four days later. It was only after that the researcher posted the exploit.

Craig Parkin, associate partner at Citihub Consulting told SCMagazineUK.com that Google fixed the problem in three days after it was reported.

“In the report the payload merely prompted an alert box to open, provided the flaw was limited to that it's unlikely to have impacted regular users,” he said.

“Organisations can do much to prevent XSS vulnerabilities on their own apps from employing firms to test apps and deploying hardware such as web application firewalls to catch the request in the first instance.”

Ilia Kolochenko, CEO of web security firm High-Tech Bridge told SC that it's not a classic XSS, but a self-XSS, a significantly less dangerous flaw. The attacker needs to make the victim inserting the malicious XSS payload into the vulnerable page in order to trigger the vulnerability.

“In case of successful exploitation, it will have the same impact as a classic XSS: theft of cookies and other sensitive data from browser, phishing or even malware injection,” he said.

Mark James, security specialist at ESET told SC that limiting these types of attacks is relatively simple once you understand the process being used, making sure your web applications are developed using some form of security development lifecycle (SDL) and getting help from external sources utilising scans for vulnerabilities will help in keeping you safe.

“Although cross-site scripting has been around for a good many years it can be one of the easier attack methods to protect against.”