XSS – Cross Site Scripting flaw at Google

Via Slashdot, Web Security posted a message about a cross site scripting vulnerability at Google:

Two XSS vulnerabilities were identified in the Google.com website, which allow an attacker to impersonate legitimate members of Google’s services or to mount a phishing attack. Although Google uses common XSS countermeasures, a successful attack is possible, when using UTF-7 encoded payloads.

One of the links in the slashdot submission is described by Phosphor3k as:

Someone [who] is trying to get their Pagerank up by submitting the story with a name of “Security Test” and linking to their shoddy website. The site has only a few links, no content, and it says the page is for sale. Will slashdot ever get their shit together and stop posting submissions with blatant pagerank-whoring links like this?

We covered spam sites getting slashdotted earlier . . . so it must not be that difficult. If you have a compelling and timely story, you can often include a link to one of your sites and get it passed the mods if the destination page looks legitimate. To me, this is the ultimate in link dumping.

Both comments and pings are currently closed.

Comments are closed.