Google plugs obscure phishing holes


Google has fixed a security flaw that had opened the door to phishing scams, account hijacks and other attacks, security researchers said Wednesday.

The flaw, known as a cross-site scripting vulnerability, existed because Google did not properly secure its mechanism for two error pages, according to Web security company Watchfire, which discovered the problem. Watchfire posted to a security mailing list an advisory on the issue.

Attackers could exploit the flaw to launch phishing scams or steal a user's credentials, said Ory Segal, director of security research at Watchfire. Phishing scams are designed to trick people into giving up sensitive information such as usernames, passwords, credit card details and Social Security numbers. Google plugs 'obscure' phishing holes | CNET News.com

Linked by shanmuga Wednesday, 21st December 2005 9:52PM