Google Groups vulnerable to cross-site scripting

Sunday, 27 April 2008

Update: This has been fixed a few hours after the disclosure! Again, congratulations to Google!

mox has discovered a critical XSS (script insertion) vulnerability in Google Groups [Mirror]:

http://groups.google.com/groups/abuse?group=titlescriptalertdocumentcookiescript&type=file
&url=XSSED&_done=%2Fgroup%2Ftitlescriptalertdocumentcookiescript%2Ffiles%3F&

Could be used by malicious people to steal cookies, display a fake Google Groups login form to phish cleartext authentication credentials and also to infect Google users with malware, adware and spyware.

It should be noted that Google fixed 2 recent XSS vulnerabilities very quickly. We hope this one to be resolved later today...