Cookie monster menaces Google

Google has fixed a security vulnerability that created a means for hackers to swipe users' cookie data, days after plugging a separate hole carrying much the same risks.

Both bugs meant attackers could modify Google documents, view the email subject lines and initial word (but not the full contents) of messages to Gmail and users' search history (proving personalised search had been enabled). Attacks based on a cross-site scripting bug (the latest of the two flaws) were possible thanks to inadequate defences against HTML injections, creating a means to write potentially malicious code that extracts cookie data. Cookie monster menaces Google | Channel Register

Linked by shanmuga Friday, 19th January 2007 1:14AM