Had Google left the the cross-site scripting (XSS) vulnerability unpatched, hackers could have modified third-party Google documents and spreadsheets as well as had access to e-mail subjects and search history.
According to Philipp Lenssen, the author of Google Blogoscoped, the first Google Custom Domains vulnerability allowed Tony Ruscoe (another Google expert) to create a page that was hosted on a Google.com domain. Ruscoe proved that he could have used code to steal a user's Google cookie and access their Google services. The second vulnerability, reported by Lenssen, would also have enabled a hacker to use JavaScript code to pass cookie data to an external source.
Google hit two birds with one stone according to a representative: "Google was alerted to these issues, and we worked quickly to fix the problems, which have been resolved. We have not received any reports of user data being compromised."
News source: News.com
2 Comments - Add comment