14 DAY TRIAL // A self-confessed web security researcher going by the online handle "Inferno" has published details of a serious XSS vulnerability in Google’s Support Python Script, which could have facilitated a wide variety of attacks, including session hijacking. Because of the widespread use of the vulnerable script on Google's pages, it took the company almost three weeks to completely address the flaw.
"The vulnerability existed in Google’s Support Python Script where a malicious url is not sanitized for XSS character ‘ (single quote) before putting inside javascript variable logURL. As a result, it was possible to break the encapsulation of the var declaration and execute arbitary [sic.] javascript commands on the main Google.com domain," Inferno explains on his blog.
The ability to execute arbitrary JavaScript code has opened doors for a particularly critical attack type called session hijacking. This architectural downfall, which doesn't only affect Google, has been leveraged before as part of other proof-of-concept attacks, such as man-in-the-middle ones.
Once a user authenticates on a website, a text file containing a unique string gets stored inside the browser. This is called a "session cookie" and the website searches for it every time a request to a protected resource is being made in order to check if the user is authenticated.
Session cookies can be set to expire after a certain amount of time and get deleted when the user hits the "Sign off" button. However, as long as they are still active, anyone can theoretically steal it, put it into their own browser and get access to the account it is associated with.
On Google, such a scenario is particularly dangerous, because a Single Sign-on cookie is used to authenticate a user over all or most services such as Gmail, Google Docs, Google Code, Google Sites, Google Analytics, etc. A successful attack, as the one documented by Inferno, translates into a massive compromise of personal and sensitive information.
Additionally, once someone's Google session has been hijacked, an attacker can potentially install malicious gadgets on their iGoogle Homepage, thus causing even more damage. "I would like [to] thank the Google Security Team for their prompt responses and fixing this serious issue in a timely manner," Inferno notes. "If you think Google took a long time in fixing this vulnerability, think again. This python script is used in a lot of places," he explains.
