周一安全研究专家说,Google已经修复了自身Web站点存在的安全漏洞,包括网络钓鱼攻击,账户欺诈和其他类型的可能的漏洞。
Google has fixed a security flaw on its Web site that opened the door to phishing scams, account hijacks and other attacks, security researchers said Monday.
据发现该缺陷的安全厂商Finjan公司称,这一跨站点脚本缺陷存在于Google的AdWords 广告计划和客户培训网站上。黑客可以利用该缺陷挟持Google的帐户、发动钓鱼式攻击,甚至能够在用户的计算机上下载恶意代码。
钓鱼式攻击旨在诱惑用户透露用户名、密码、信用卡详细资料、社保号等机密信息。
Finjan于上个月底向Google通报了这一缺陷,Google在30个小时内就修正了该缺陷。Finjan的副总裁莉摩尔说,Google的响应非常积极。 Google的证实说,它提前得到了警告,并修正了该缺陷。没有用户资料被泄露,我们对Finjan披露缺陷的方式表示赞同。
据Finjan称,该安全问题存在的原因是,Google网站上的表单没有对输入的数据进行验证和过滤,这使得黑客能够注入在用户计算机上运行的内容和代码。为了利用这一缺陷,黑客必须伪造一个Web 链接,并诱惑用户点击它。
莉摩尔说,这一缺陷的危险之处就在于,黑客设计的链接与真正的Google链接非常想象。
跨站点脚本缺陷非常常见。今年早些时候,Finjan在微软的Xbox 360 Web网站上发现了一个类似的缺陷。在早些时候,Finjan还发现了雅虎基于Web 的电子邮件服务中的缺陷。
Finjan开发了对网站进行扫描,发现其中缺陷的工具,它经常对流行的网站进行测试。莉摩尔指出,我们这样做的目的是鼓励厂商改进它们的产品。
在修正这一跨站点脚本缺陷后,Google Web网站被Finjan认为是安全的。莉摩尔说,我们发现,Google网站的其它部分不容易受到攻击,至少不存在跨站点脚本缺陷。我们将继续监测该网站。(
The flaw, known as a cross-site scripting vulnerability, existed on the Web site for Google's AdWords advertising program and a customer training site, according to security company Finjan Software, which discovered the problem.
Attackers could have exploited the flaw to hijack Google accounts, launch phishing scams or even download malicious code onto users' computers, according to Finjan. Phishing scams are designed to trick people into giving up sensitive information such as user names, passwords, credit card details and Social Security numbers.
Finjan informed Google of the bug late last month and the problem was fixed within 30 hours, said Limor Elbaz, a vice president at Finjan, which is headquartered in San Jose, Calif. "Google's responsiveness was very good," she said.
Google confirmed that it was alerted "a little while ago" and fixed the flaw. "No user data was compromised, and we applaud Finjan for following industry best practices for vulnerability disclosure," a Google representative said in an e-mailed statement.
The security problem existed because forms on Google's Web site did not validate and filter data entered into certain fields. This allowed an attacker to inject extra content and scripts that would run on the user's computer, according to Finjan. To take advantage of the flaw, an attacker would have to craft a special Web link and trick the user to follow it.
"The dangerous thing in the case of Google is that the link would look like an innocent Google link," Elbaz said.
Cross-site scripting flaws are found regularly. Earlier this year, Finjan spotted a similar bug in Microsoft's Xbox 360 Web site. The company earlier identified holes in Yahoo's Web-based e-mail service.
Finjan, which sells products to protect corporate systems against Web-based attacks, has tools to scan Web sites for vulnerabilities. The company regularly puts popular Web sites to the test. "We do this to encourage vendors to improve their products," Elbaz said.
With the cross-site scripting flaw fixed, Google's Web site is now deemed secure by Finjan. "We found that the rest of the Web site is not vulnerable, at least to the cross-site scripting vulnerabilities," Elbaz said. "We will keep following the site."
Earlier this year a security flaw in Google's e-mail service, Gmail, was identified and fixed. The flaw could have allowed attackers to hijack Gmail users' in-boxes.
