14 DAY TRIAL // French security researcher Issam Rabhi has identified a cross-site scripting (XSS) vulnerability in Google's Search interface, something that many have thought to be impossible after so many years of probing by other security experts.
The reason why Rabhi managed to identify this "unicorn" is because the issue wasn't in Google's classic Search section, but in the custom widget the company introduced for the Rio Olympics.
The company still uses the widget today to show final results from the recently concluded Olympic Games, but without the XSS issue, which they have patched in four days after it was disclosed.
Issue was easy to exploit via social engineering
According to Rabhi, who works for French security company Sysdream, the issue affected only the French version of the Google Olympics widget, and is what experts call a reflected XSS (also known as self-XSS, first-order XSS, type 1 XSS, or non-persistent XSS.)
This means the attacker has to convince a victim into accessing a Google link which already includes the malicious code passed inside the URL's parameters. Since Google already uses quite lengthy URLs, this shouldn't have been a problem.
When Rabhi informed Google of the issue on August 5, the company's first response was "Nice catch!" Google fixed the XSS on August 9.
Not all companies regard XSS issues as dangerous
While many companies might dismiss XSS bugs in their bug bounty programs, these issues are the stepping stones to more serious intrusions. XSS exploits allow attackers to collect cookies and XSRF tokens for more intrusive attacks, which allow them to compromise and hijack a target's accounts.
Of course, not all companies take these issues seriously. One of those who don't is Microsoft. Ilia Kolochenko, CEO of web security firm High-Tech Bridge, told Softpedia that Microsoft refused to consider an XSS bug they've discovered as a security vulnerability, in the first place.
The issue, detailed here, is a self-XSS in the Microsoft Dynamics CRM, which the company declined to patch, according to Kolochenko.
