Cross-site Scripting Attacks Possible on Google Desktop

Netcraft is reporting that a cross-site scripting vulnerabilty has just been plugged, but another one still exists.

"A British computer scientist has demonstrated that opportunities exist for fraudsters to launch phishing attacks using cross site scripting bugs on the very widely used Google sites. Using these conduits, fraudsters would be able to inject their own content onto the site in order to collect credit card details and other sensitive information.



Jim Ley's demonstrations include a well crafted credit card submission form which explained that Google was soon to become a subscription-only service at $5 per month, but that users could take advantage of an earlybird special offer to obtain lifetime free searches for just $10.



See screenshot.



Google's introduction of the Google Desktop has exacerbated the situation, as Google search results can now include the content of local files. The vulnerability uncovered in the Google Desktop allowed an attacker to search a user's local machine for passwords and report the results directly back to the attacker's own web site.



Ley notes that both of these problems were fixed earlier this morning. However, while investigating his report, Netcraft noticed at least one more serious phishing vulnerability which would allow an attacker to inject their own content using the Google web site. Such links are easily hidden in web forms or disguised as links in phishing mails. Netcraft has notified Google of the vulnerability and will explain the issue when they receive a response from Google."