Google Apps hit by session-stealing attack
A security researcher has uncovered a serious flaw in Google
Spreadsheets, which could give an attacker access to all of a user's Google
services.
While the bug, a cross-site scripting (XSS) flaw, has now been fixed by Google,
it is an indication of the perils that can accompany the growing popularity
of Software as a Service (SaaS), according to researcher Billy Rios, who uncovered
the problem.
Because of the way Google structures its authentication processes, a single
XSS attack can deliver access to all of a user's Google services and documents,
Rios said.
"With this single XSS, I can read your Gmail, backdoor your source code
(code.google.com), steal all your Google Docs, and basically do whatever I want
on Google as if I were you," he said in a blog post.
The exploit relied on the way Internet Explorer determines the content type
of server responses, ignoring the content-type header in certain circumstances.
Browsers such as Firefox, Opera and Safari can be made to share the same behavior,
Rios said.
"Developers need to understand the nuances of how the popular web browsers
handle various content-type headers, otherwise they may put their web application
at risk of XSS," he wrote.
To carry out the attack, Rios injected HTML into the first cell of a table,
along with Javascript designed to display the user's cookie. IE then rendered
the content as HTML, allowing the cookie to be viewed.
The attack could be delivered via a link to the specially formed spreadsheet,
Rios said.
"To be fair, Google included a subtle defense to protect against content-type
sniffing (padding the response), but those protection measures failed (with
a little prodding by me)," he wrote.
Rios recently publicized a vulnerability (also now fixed) in Google Code allowing
the theft of passwords.
Google Apps began as a set of hosted services, but Google this month has begun
rolling out offline access to them, beginning with the word processor, Google
Docs.
Over the next three weeks or so, Google will turn on the feature for all word
processor users, giving them the ability to view and edit documents offline.
During the same time period, Google Docs' spreadsheet will gain offline ability
for viewing, but not editing documents.
Google Docs' third component, an application to make slide presentations, will
remain for now without offline access. However, Google has plans to extend the
offline access to it and to other hosted services in the Google Apps suite,
of which Docs is part. Apps also includes Gmail,
Calendar,
Talk and others.
» posted by abennett
Techworld.com
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
