14 DAY TRIAL // Although the Mountain View company has recently hired one of the best known hackers coming from Poland, it seems that Google is not afraid of the successful exploitations of the vulnerabilities since it is not interested in some of the reports sent by the users. Security researcher Robert Hansen recently discovered a vulnerability in the Google Gadgets that would allow an attacker to create a phishing website that would be able to bypass all the filters. But what's most interesting is not the main security flaw notification, but the Google response offered to the researcher.
"On further review, it turns out that this is not a bug, but instead the expected behavior of this domain. Javascript is a supported part of Google modules. Since these modules reside on the gmodules.com domain instead of the Google domain, cross-domain protection stops them from being used to steal Google-specific cookies, etc. If you do find a way of executing this code from the context of a google.com domain, though, please let us know," the Google team responded to the notification.
"If I misunderstood the report in any way, please don't hesitate to correct me. For the moment, though, I'm closing this issue. Thanks for sending this over."
Google didn't confirm the problems but it looks like the danger is imminent and nobody knows if he's protected or not. However, the Google response doesn't seem to sound like a new extremely dangerous flaw was discovered. In contradiction with the Mountain View company's representatives, the researcher sustains this is something serious and also that this is not the first time when the Google officials are ignoring his disclosures.
"For the record, this is not the first time I have responsibly disclosed issues to Google, and this is the third time they have said what I reported was either not a bug or too hard to fix. So much for using responsible disclosure with Google. Ugh.", he wrote.