Vulnerability in Google spreadsheets allows cookie stealing
Security researcher Billy Rios has discovered a vulnerability in Google Spreadsheets which attackers can exploit using links to crafted tables to steal a user's cookie. According to Rios, the victim has to follow such a link in Internet Explorer. The stolen cookie can be used to access all Google services with the victim's identity, including reading the victim's Google Mail.
Rios explains on his blog that the security vulnerability results from incorrect
content-type headers or the browser ignoring these headers in HTTP responses returned by the server. The problem is not confined to Internet Explorer: according to Rios, Firefox, Safari and Opera can also ignore the
content-type header and attempt to determine the server response content type themselves.
“With this single XSS, I can read your Gmail, backdoor your source code (code.google.com), steal all your Google Docs, and basically do whatever I want on Google as if I were you!” notes Rios. Google has now fixed the vulnerability and the browser now renders such crafted table content as text rather than HTML.
Just last week Rios published details of a vulnerability in Google Code, by exploiting which attackers could steal user passwords. In collaboration with Nathan McFeters he has previously discovered and demonstrated the Windows URI vulnerability and vulnerabilities in Google's Picasa.
- Google XSS, entry on Billy Rios' blog