Experts Find DOM-Based XSS Vulnerability in Google.com

Security researchers from Minded Security have identified a document object model (DOM)-based cross-site scripting (XSS) vulnerability on Google.com.

The security hole has been identified with the aid of DOMinatorPro - a runtime JavaScript DOM XSS analyzer.

According to the researchers, DOMinatorPro revealed a piece of code in googleadservices.com /pagead/landing.js which used invalidated input to build the argument for two “document.write ” calls.

They found that the buggy JavaScript had been utilized by google.com/toolbar/ie/index.html (both HTTP and HTTPS).

“[This] means that one more time a (almost) 3rd party script introduces a flaw in the context of an unaware domain,” Minded Security’s Stefano Di Paola explained.

Di Paola suggested one workaround, but Google decided to address this issue by removing the problematic script altogether.

Unlike the traditional XSS vulnerabilities that occur in the server-side code, DOM-based XSS affects the script code in the client’s browser.