Google Auctions XSS Proof of Concept
Note: Google has now fixed the vulnerability.
The truth is, however, that XSS is an extremely powerful method through which a criminal can rely on the trust a user places in an individual web site to coax a user to give up important information. Furthermore, it is not limited to just collecting cookie data. A well executed XSS attack can draw a user through an intricate multi-page fraud where the user escalates through to provide not just usernames and passwords… Take for example the below…
Everyone knows about the possibility of a Google version of E-Bay. Well, what if a clever fraudster used XSS to launch a fake Google Auctions Beta. It would be easy to accomplish this with XSS, and just as easy to convince people they need to provide financial information. There is nothing uncommon with an auction site asking for personal information like bank accounts or Social Security Numbers for tax purposes. So, follow the link below…
Instead, the fraudster’s form directs you to another XSS page on Google. This one asks for further information to set up your account. The user now thinks he/she has successfully logged into the system and, thus, has nothing in the world to worry about. Do No Evil, Right!?!
The problem with most good people is they just are not as clever as the bad people. Calling XSS not a vulnerability is like calling the gas tank on a Pinto not a vulnerability. While XSS is part of a social engineering attack, so is a car wreck with a Pinto. The truth is, the internet is filled with average users just like roads are filled with average drivers – we don’t need sites with XSS holes and we don’t need cars that explode on impact.