“For the second time this week, security flaws in the company's Web-based products have been uncovered, and the latest—in the Froogle comparison-shopping service—could have serious ramifications for Google's attempt at identity management.
In a statement sent to eWEEK.com, the search darling confirmed it was alerted to a "potential security vulnerability affecting Froogle," but no details were provided.
"We have since fixed this vulnerability, and all current and future Froogle users are protected," Google said.
According to Israeli security researcher Nir Goldshlager, a malicious hacker could exploit the hole by embedding a JavaScript in a URL pointing to Froogle. Once the link is clicked, the JavaScript triggers a browser redirect to a malicious Web site where the target's Google cookie is stolen.
Goldshlager, who was recently credited with finding a flaw in the Lycos e-mail service, said the cookie contains usernames and passwords for the "Google Accounts" centralized log-in service. He said the flaw also could be used to hijack Gmail accounts.
The Google Accounts identity management service is programmed to provide universal access to all Google services that require a login.
It powers logins for Google Groups, Google Alerts, Google Answers and Google Web APIs, and plans are in place to expand the service to include Google Adwords and the company's e-commerce store.
"The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he wants, and it still won't stop the hacker from using his box," Goldshlager said.
Earlier this week, Google was forced to address a separate bug in Gmail that allowed access to other users' personal e-mails. By altering the "From" address field of an e-mail sent to the service, a malicious hacker could potentially find out a user's personal information, including passwords.…”
http://www.eweek.com/article2/0,1759,1751689,00.asp?kc=ewnws011705dtx1k0300599
Posts
No comments:
Post a Comment