Password theft via vulnerability in Google code
Billy Rios has discovered a vulnerability in the Google Code service which could be exploited to steal passwords from developers who have registered on the site. The Google Security Team has since fixed the vulnerability.
Rios succeeded in gaining cross-domain access by uploading a crafted Java applet to a project on code.google.com as an issue. It is possible to access files which are uploaded as issues via the Google domain. In his blog entry, Rios notes that this type of attack is usually carried out using a crafted Flash applet, but that in this case Flash does not work, as the Flash applet is only able to gain access to subdirectories of the domain. However the Java security model allows access to the complete domain rather than just specific subdirectories. It is thus possible for an external website to load the injected Java applet under the Google domain and still communicate with the Google server. Rios has posted a screenshot which appears to demonstrate that he was able to access another code.google.com user's password.
According to Rios' blog, no appliance or software application is currently able to protect against this kind of cross domain access. He also notes that the Google Security Team were very quick to plug the vulnerability.
- Insecure Content Ownership, blog entry by Billy Rios