Google service has a dangerous security error
Within two days, a series of Google online services were found to have extremely dangerous security errors.
According to security researchers, these errors can be entirely exploited by hackers to "kidnap" a PC or steal personal data from users. The code exploits a number of errors that have now been released to the Internet.
A total of 4 security bugs were discovered during this round. There is an extremely dangerous error that could be exploited by hackers to implant 'backdoor' data stealing directly from Gmail accounts. The remaining errors are identified as XSS errors (cross-site scripting).
Google's services are known to include a free email service, Gmail, Google Groups, Google Picasa digital photo management software and search engine software exclusively for web development administrators.
In an article on GNU Citizen's official blog, security researcher Petko D. Petkov said hackers just need to trick users into accessing a specially programmed website that could install malicious code. 'backdoor' keeps track of their Gmail account. However, the necessary and sufficient conditions here are that users must both log in to their Gmail account and access the malicious website of hackers.
If successful, malicious code will start creating a 'filter' in Gmail to transmit any email attachments in the account to any address that hackers want. Users can detect the attack by checking the 'Filter' section in the Gmail Settings section.
Although Petkov has not provided a bug proof or detailed information on the error, according to blog author Zero Day, Ryan Naraine, he has seen the whole process of Petkov exploiting this Gmail security bug. ' In my opinion, this is an extremely dangerous security bug because it does not need any user intervention to enable malicious code and is difficult to detect for a regular Gmail user. They were almost unaware that their email had been stolen, "Naraine said.
A Google spokesperson said the bug-hunting experts of the company are working to verify the authenticity of the security error.
The second detected security error this time belongs to the Google Groups built-in poll application. This error can be exploited to steal contact books and emails from any Gmail account.
Many exploit codes and clear proof images are now available online. In it, there was a picture of the entire contact book and emails sent from a researcher's Gmail account discovered this error.
At the end of the afternoon of September 24, a Google spokesperson said the error was completely fixed.
' If you're a good person using Javascript, you can take advantage of the error very easily ,' said Giorgio Maone, a researcher at El Reg. 'It's more dangerous than just one code. The only exploit you can attack any Gmail account you want . '
The exploit code disclosed by experts can be used to attack any user whether they use Internet Explorer, Firefox, Opera or Konqueror browsers. However, in order to be able to achieve browser effectiveness, it is not prohibited to Javascript and users must be logged into a Gmail account.
The third security error belongs to the Google Search Appliance search application that is often sold to web development administrators. This is a tool to help web developers develop a separate search engine on Google's technology platform. Just create a special URL link, hackers can insert or overwrite the source code they want on the target website. Or hackers can take advantage of this error to steal browser cookies, gain user login rights, and steal personal information.
Details of the error and an illustrated link have been posted on the Mustlive blog site (http://websecurity.com.ua/1368/). Google said that there were about 200,000 websites at the time, and could be attacked at any time.
The remaining security flaw could be exploited by hackers to steal digital photos in Google Picasa by tricking users into accessing a malicious website. But this is really a complicated security error, relatively difficult to exploit, so the level of danger is not high. In order to exploit this error, it is necessary to apply various techniques such as XSS, spoofing requires login via application, flash and URI handler.
A Google spokesperson said the company had received information on the above security flaws and was investigating to find solutions to take root. The company has not yet detected any user attacks by taking advantage of these newly discovered security flaws.
Also
- Google confirmed phishing errors in Public Search Service
- Error OpenOffice interconnects multiple operating systems
- 10 worst moments of security industry
- Windows Service Pack 2: a new security error
- Apple patches new 'deadly' for QuickTime
- Technical problem turns Google Base into Google
- 'Zero-day' security error protection procedure
- Microsoft introduced a new online security service
- Appeared to attack Photoshop
- Attack on IE via Google Desktop Search
- Microsoft fixes a dangerous DNS error for Windows
- Drag-and-drop security error in IE