Google cookie data leak problem

By Derek Sooman on January 17, 2005, 4:00 PM
For once, itís Google in the spotlight for having security deficiencies. Security flaws in some of the company's Web-based products have been uncovered, in particular in Froogle comparison-shopping service.

According to Israeli security researcher Nir Goldshlager, a malicious hacker could exploit the hole by embedding a JavaScript in a URL pointing to Froogle. Once the link is clicked, the JavaScript triggers a browser redirect to a malicious Web site where the target's Google cookie is stolen.

Google has replied that the vulnerability has since been fixed. However, Israeli security researcher Nir Goldshlager, who provided proof-of-concept exploits of the cross-site scripting scenarios to Google, warned that information from stolen cookies can be used even if the password is changed.

"The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he wants, and it still won't stop the hacker from using his box," Goldshlager said.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.