Cupertino slings quick fix.
Security researchers have disclosed an cross-site scripting vulnerability in Google France.
The flaw is the third most common web application security hole on the internet, and is commonly exploited in mass defacements and automated attacks.
Issam Rabhi (@issam_rabhi), researcher with French security outfit Sysdream, reported the flaw to Google on August 5th.
Google fixed the flaw four days after the report with Mountain View’s web security man Krzysztof Kotowicz telling Rabhi ‘nice catch’.
XSS proof of concept.
Image Issam Rabhi.
The mess “… allows attackers to deliver malicious code to victims which can compromise data and hijack browser sessions. may lead to private information compromise, cookie theft or even browser take over,” Rabhi says.
The researcher posted a proof-of-concept exploit after the hole was patched. He says he did not submit the bug under Google’s popular bug bounty program, preferring kudos to cash on this occasion. ®