John

Another Reason To Ditch IE. As If We Didn’t Have Enough Already.

In News on April 16, 2008 at 12:49 pm

If you’re one who gets paranoid about safety while surfing the Web, here’s something that would freak you out. Turns out that there was a cookie-stealing exploit that was exposed (and subsequently fixed) if you used Internet Explorer while using Google’s Spreadsheet. If you don’t know what a cookie is, then hell, you’re in deep shit. Just get Firefox, add in the NoScript plug-in and save your identity from being infiltrated.

Who knows what other security vulnerabilities are out there, eh?

From The Register:

Security researchers have unpicked a flaw in Google spreadsheets that allows cookie stealing. The cross-site scripting vulnerability enables attackers to use stolen cookies to access any Google service a user has registered, including accessing a victim’s Google mail account.

Google has now plugged the vulnerability, discovered by security researcher Billy Rios. In a blog posting, Rios explains a caching flaw by Google, alongside problems in how browsers handle content-type headers, created a cookie stealing risk. A Google cookie is valid across all its sub domains, a convenience factor that greatly enhances the potential for mischief.

This particular XSS vulnerability on Google’s domain takes advantage of how IE determines the content type of the HTTP response being returned by the server. Other browsers have problems in handling content-type headers properly, but this vulnerability is limited to IE.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: