Sign in / up

back to article Google's cookie crumbles under scripting attack

Security researchers have unpicked a flaw in Google spreadsheets that allows cookie stealing. The cross-site scripting vulnerability enables attackers to use stolen cookies to access any Google service a user has registered, including accessing a victim's Google mail account. Google has now plugged the vulnerability, …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Nathanael Bastone
    Flame

    WRARRRRRR!!

    Cookie stealing make Cookie Monster MAD!

    0 0
  2. yeah, right.
    Dead Vulture

    a first?

    So here we have Google and Microsoft working together to screw their customers? Isn't that a first or something, those two working together?

    0 0
  3. Mr B
    Thumb Up

    Clouds ...

    ahahah, charges are gathering inside Google's clouds ... thunderbolts are just a couple of volts away.

    0 0
  4. Robert Armstrong
    Stop

    Is this a feature?

    Or is it Web 3.0?

    0 0
  5. Nick Stallman
    Unhappy

    Not IE again!

    Will someone at Microsoft please be so kind as to stop IE from guessing the content type?

    The web server sends it correctly and then IE ignores it.

    0 0
  6. Shannon Jacobs
    Pirate

    Compensating the security experts

    The thing that bothers me about this is the expert's motivation. I really hope he is fully and adequately compensated for doing the right thing. What happens if some other security expert finds himself on the edge of starvation, and there he is with a security hole of high value to some criminal organization?

    0 0
  7. Steve Sutton

    @Nick Stallman

    Actually, MS only guess the content-type if it is not sent by the webserver, or if it is one of 26 "known" types.

    http://msdn2.microsoft.com/en-us/library/ms775147.aspx

    Why? Well, that's more infinite wisdom from Microsoft, in order to "make it easier for an average Joe to put up a personal website without worrying about mimetype details"

    http://blogs.msdn.com/ie/archive/2005/02/01/364581.aspx

    It's a shame that Gupta doesn't recognise that most websites are put up by professionals*, and that their perhaps well intentioned code is a frigging nightmare at times. "Asking everybody to fix their servers" is precisely what they should do. We expect Microsoft to fix their software, adhere to standards, &c, and they have a right, nay duty, to expect the same in return.

    * Insert some reference to professionals using apache and amateurs using IIS here

    ("infinite wisdom" is a registered trademark of Microsoft Corporation ... well, probably)

    0 0
This topic is closed for new posts.