14 DAY TRIAL // Junaid Hussain – the founder of illSecure.com, or better known as TriCk of the TeaMp0isoN hacktivists group – has identified a cross-site-scripting (XSS) vulnerability in Google Fusion Tables.
Google Fusion Tables is an experimental data visualization web application designed to gather, visualize, and share larger data tables.
The expert has reported the security hole to Google. However, since the affected domain, fusiontables.googleusercontent.com, is a “sandboxed domain,” the flaw doesn’t qualify for the company’s bug bounty program.
That’s why Hussain decided to release the vulnerability’s details.
The proof-of-concept video he published shows how cybercriminals could get users to click on potentially malicious links by tricking them into thinking that they’re on a legitimate Google domain.
Check out the video to see how the vulnerability can be exploited. Additional technical details are available on illsecure.com.
Update. Sabari Selvan of E Hacking News tells us he has reported similar vulnerabilities on googleusercontent.com. However, he says Google created the sandboxed domain specially for running unsafe code, so such vulnerabilities are not fixed.