From hackademix.net, we bring you 4 Google disclosures in only 3 days time:
- Google Search Appliance XSS discovered by MustLive, affecting almost 200,000 paying customers of the outsourced search engine and their users: this Google dork shown 196,000 results at the time of disclosure, now dropped to 188,000.
- a Picasa exploit, leveraging a clever combo of XSS, Cross Application Request Forgery, Flash same domain policy elusion and URI handler weakness exploitation to steal your private pictures, straight from your local hard disk, just visiting a malicious web page.
- a Google Polls XSS which, thanks to the (too) smart “widget reuse” allowing Google services to integrate the same functionality across multiple services, can be used to attack Search, Blogspot, Groups and, the most dramatic exploitation scenario, GMail:
- This POC steals your Google contacts
- This POC steals your GMail incoming messages, routing them to beford’s mail address
- an Urchin Login XSS disclosed by GNUCITIZEN’s Adrian Pastor, which could compromise local Google Analytics installations.
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment