In association with heise online

16 January 2007, 21:57

Google Cookie Theft Part Two

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Following on from a recent security vulnerability with which an attacker would have been able partly to penetrate other users' Google accounts, a second, similar problem has been identified. As with the previous vulnerability, this one also allows an attacker to read a user's Google cookie. This does not give an attacker full access to the Google account, nevertheless, he does gain access to much personal information, such as Google docs and spreadsheet documents and the complete search history. To fall victim, one needs to visit a prepared website.

In contrast to the first security vulnerability, the second relies on cross-site scripting. A script is loaded in the URL of the Google service, which reads the victim's cookie and sends it to the attacker's server. According to Philipp Lenssen, author of the Google Blogoscoped blog, Google has already resolved the problem. No further details are known at present.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit