back to article Unholy trinity of flaws put Google users at risk

If you use Google to send email, organize photos or help administer your website, doomwatchers have cataloged three new ways to steal your data and compromise the security of your users. All three of the techniques rely on cross site scripting, or XSS, in which hackers inject unauthorized code by making it appear as if it's …

COMMENTS

This topic is closed for new posts.
  1. leslie

    emmmmmmmmmmm

    So if I just delete all my contacts from address book, they cant steal them, hell yeah that'l work.

  2. Danny

    just say no to js

    XSS and Javascript: Or why you shouldn't just let arbitrary code run on your machine.

    Just switch it off and let sites that demand javascript be enabled know why you aren't shopping there anymore. Ditto Flash. Or if that's a hassle, have a separate browser for these sites and set it to delete all cookies on exit, and only visit one site at a time. I keep Mozilla for this purpose. Konqueror with js off and no plugins for general browsing.

    Of course, XSS, can be prevented if the sites in question are ruthless with input filtering and html quoting. If. Having some js to do frame breakout will make iframe injection attacks pretty obvious. Ahh, frames. Don't you wish you could go back in time and give that smartarse at Netscape a good kicking. It would have been nice for a site to inform the browser than js should be disabled for this page regardless of any other setting or outer frames. But it's way too late for that.

    CSRF is a trickier beast. It's your site (which naturally is perfect) being attacked by a badguy or compromised site. As the request comes from a legitimate user of your site, or technically from their browser, discriminating a genuine request from a bad one is a knotty problem. A solution being to ask for their password to confirm serious actions.

    Or, ironically, have some js detection code to say "This site best viewed with JS off."

    The joys of unintended consequences...

  3. Anonymous Coward
    Anonymous Coward

    I wondered how long it would take

    someone to notice this I generally avoid js I am allergic to client side code but there things they want to do that require the browsers help so I oblige knowing full well there isn't too much chance it's safe may god have mercy on my watery soul. Still it's good to know I am not alone.

  4. Lexx Greatrex

    None of the 'exploits' work

    Yeah very classy article, and excellent research too! Well done Reg!

    Oh, wait a minute, these exploits are a bunch of crap and don't work.

    Did the author test the code before he submitted this article?

  5. Whitter

    Title

    Just try logging into uk.yahoo.com with XSS turned off. Takes about 6 authentication pages, as it jumps from one site, to another to another, each one no longer handing the info across. (As if they ever should have: nice design folks)

  6. Matt Jordan

    Noscript

    nuff said

  7. Anonymous Coward
    Anonymous Coward

    @Lexx

    Did you read the article?

    "A Google spokesman on Monday afternoon said the flaw had been fixed."

    "We plugged both addresses into version 7 of IE and only the latter appeared to work, so it's possible that ICANN has already plugged the hole."

    Maybe, just maybe people are fixing the problem before you got your mouth and brain into gear....

  8. Ex Pat

    crappy java

    well, clearly it is about time to dump javascript because it is so rubbish. it is a dreadful thing that is slow, unreliable and cumbersome. and to make it worse, Sun's JVM is bloated and slows the machine down even further.

    i am sure that a few java programmers (they probably also like ridiculous linux) will be offended by this post but to them i say, see you next tuesday.

  9. Ex Pat

    BTW

    JS = Javascript. Or does it mean jack-shit?

  10. Liam the lemming

    Javascript != Java.

    Ex Pat wrote:

    well, clearly it is about time to dump javascript because it is so rubbish. it is a dreadful thing that is slow, unreliable and cumbersome. and to make it worse, Sun's JVM is bloated and slows the machine down even further.

    ---

    Wow.

    It's 2007, and people are *still* confusing Javascript with Java. I won't argue that Java *applets* pretty much suck balls, but Java*script* is an entirely different technology. I'd offer an explanation, but I honestly doubt it'd be grasped by those getting it wrong in the first place.

    Oh, and Ex Pat: "ridiculous linux"? You mean the platform that powers so many web servers across the world? Including - oh my - The Register itself:

    Server: Apache/2.0.54 (Debian GNU/Linux)

    You *might* wanna consider a bit of research before shooting off at the mouth. It might just help you look a little *less* dim.

  11. Ex Pat

    @Liam the gay lemming

    Er, less dim? Java, smava. Who cares if they are different, they still are based on the same crappy foundation and all suck regardless.

    Just because linux powers a few web servers does not make it automatically a good product. iTunes unfortunately powers my the syncing of my iPod but it still sucks as a product.

    If you spent more time in the real world instead of in dingy server rooms reading Linux User whilst rubbing yourself you might be a bit more aware of real worlds facts, namely that Java, Javascript and linux all suck.

  12. cottonfoo

    Huh

    JavaScript and Java don't have the same "crappy" foundation at all, I wager you just don't know what you're talking about. Plenty of bozo-bits being flipped there.

  13. James Anderson

    Javascript has nothing to do with java.

    Javascript is an interpred "scheme" like language more properly called "ECMAScript" which has an extremely fast implementation

    in most browsers.

    It was designed as a "prototype"d language but you can downgrade to an OO

    style of programming if you want. (In practice most JS programmers downgrade to a K&R C style of programming).

    Java is a C like langauge compiled to a virtual machine language which runs very inefficiently on most browsers.

    The only thing they have in common is the use of curly brackets to denote a block of code.

    Most people who nock javascript as a language have never done any serious programming in the langauge. It is a very powerful language and the "prototype" pardigm is both elegant and powerful.

    Try "http://www.masswerk.at/JavaPac/JS-PacManPlus.htm" to see what can be done in pure JS.

  14. Ex Pat

    @cottonfoo

    you are a really boring person. stuck reading Linux User in the basement with Liam the gay lemming. At least we now know who does the rubbing while he is turning the pages.

This topic is closed for new posts.

Other stories you might like