Let’s start with the bad news: a researcher known only by his nickname “Inferno” just announced he has found a cross-site scripting vulnerability on many Google services. While XSS attacks are, unfortunately, a common thing this one is far scarier than most. Since almost all Google services use a single cookie on the google.com domain for authentication, this attack makes it possible to do many nasty things.
Some of these are reading your e-mail, browsing your address book, accessing Analytics accounts for your websites, read documents stored on docs.google.com and more. Scary, right? All the attacker would need to do is get you to open a URL while you’re logged on to even a single Google service. While XSS attacks against Google’s websites are nothing new, this one is special because it affects a script used on a large amount of sites.
The good news? Google responded within an hour after they received the report, and were able to fix the issue and push the updated script to all their servers in just over two weeks.
Vulnerability Reported: 04/18/2009 9.33 pm
Google’s Response: 04/18/2009 10.19 pm (Wow! that was super fast for Saturday :))
Vulnerability Fixed: 05/05/2009 7.05 pm
Change Propagated: 05/07/2009 3.19 pm
Vulnerabilities in widely-used services such as these can easily be worth tens of thousands of dollars; fortunately Inferno did the right thing by reporting the issue to Google instead of selling it on the black market.