XSS flaw found in the Google's PHP API client enables phishing attacks

News by Rene Millman

Security researchers have discovered a bug in Google's PHP client library for accessing Google APIs that could enable criminals to take advantage of the cross-site scripting flaw and carry out a phishing attack.

According to a posting on Seclists.org, during the security audit of google-api-php-client (Google's PHP client library for accessing Google APIs) multiple XSS vulnerabilities were discovered by a team at DefenseCode using its ThunderScan SAST application source code security analysis platform.

These flaws were found in the sample code for using the Google's URL Shortener. Researchers said that the Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code.

“If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum,” said the researchers.

Once the unsuspecting user has visited such an URL, the attacker can proceed to send requests to the API on the behalf of the victim from his JavaScript.

According to the DefenseCode advisory, Google is expected to resolve security issues in the next release. “All users are strongly advised to update google-api-php-client to the latest available version when the vulnerabilities get fixed,” said the advisory.

Mark James, IT security specialist at ESET, told SC Media UK that any cross-site scripting vulnerability is potentially bad.

“If left unpatched or resolved it could enable an attacker to execute code that should not normally be executed with potential access rights they would not normally have,” he said. “An attacker could use JavaScript code to execute other code or steal information that could grant them unrestricted access to the site in question. This could lead to a malware attack or credential stealing.”

He added that the best way to stay protected is to have a multi-layered approach. Keep your operating systems up to date and fully patched and use the latest versions where possible. “Also, it is important to have a good, regular updating internet security product and ensure you use unique, complex passwords where possible or consider password managers and two-factor authentication.”

Martin Ellis, security consultant, at SureCloud, told SC Media UK that organisations need to ensure that all user controllable inputs are properly encoded. “It is possible to fully mitigate against XSS attacks by correctly encoding user input. Regular code review, both manual and with the use of automated tools can help to find these types of vulnerability,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events