Today, The Next Web covered a post about a potential XSS “vulnerability” on Google’s app and gadget hosting services used on Google-hosted domains.
In the post, TNW recounts what the original writer said:
According to The Hacker News, the story behind this one goes a little something like this. Two months ago, Indian hacker Mohit Kumar discovered the XSS vulnerability on Google’s domain, and wrote up a proof of concept.
Kumar then submitted it to Google on September 11. Two days later, he received this response:
In other words, Google wasn’t bothered by the issue and thus didn’t grant Kumar a bug bounty prize. Kumar figured this wasn’t too big of a deal, since Google informed him it was not exploitable and was further on a sandboxed domain. Nevertheless, after all this time, he was surprised to learn that the issue still hasn’t been fixed.
Of course, more people piled on, as a “hacker” in Bulgaria released a “proof of concept” showing this “vulnerability.” TNW writes:
This is just a proof of concept, but it gets the point across. This looks like a legitimate Google login page hosted on Google.com, but it really could be a phishing site that would steal your login credentials if you enter your account details. How this last part would work isn’t detailed, but what is clear is that the Google.com domain is being abused.
Basically, this isn’t a vulnerability of anything at Google. No data is being accessed, no information is being taken off of your machine, absolutely none. Why? Becasue Google Gadgets like this are hosted on a separate sandboxed domain, by Google itself. And it’s secure to boot.
What this is a case of is someone potentially creating a gadget that maybe looks like a Google login page. If you fill out the information, that data would go to the phisher. Like any phishing site on the entire Internet would. When Google gets a whiff of these scams, the abuse team responds promptly. Just because this could be hosted on a Google domain doesn’t mean that it’s a Google vulnerability.
It’s just some asshat trying to steal your password. Like they could do on a GoDaddy domain.
We of course reached out to Google once we did some digging, and this is the statement we received:
Using iGoogle, or any Google product, to serve deceptive content is a violation of our product policies. We will remove offending content from our gadget gallery. For more information about our security approach to hosting content, you can read more here: http://googleonlinesecurity.blogspot.com/2012/08/content-hosting-for-modern-web.html
Click that link and hop to “web origins” and you’ll see this passage:
In the end, we reacted to this raft of content hosting problems by placing some of the high-risk content in separate, isolated web origins—most commonly *.googleusercontent.com. There, the “sandboxed” files pose virtually no threat to the applications themselves, or to google.com authentication cookies. For public content, that’s all we need: we may use random or user-specific subdomains, depending on the degree of isolation required between unrelated documents, but otherwise the solution just works.
Nothing to see here. If you see a wonky Google login page on a domain that you don’t recognize, report it to Google. There are no security holes. As you were.
[Photo credit: Phlickr]