Twitter and Google Calendar XSS vulnerabilities revealed

Interestingly, he reports that a similar vulnerability applies to the Google Calendar service, allowing attackers to steal cookies and session IDs on either service, a flaw which could lead to a hijacking of Twitter and/or Google accounts.

Another security problem with Google Calendar reportedly centres on a potential HTML injection attack that  - when used on a targeted basis - can redirect users to malware-infested websites.

Reporting on the vulnerabilities, eWeek's Brian Prince noted that Goldshlager had sent his code findings into the publication, which relayed them to Google and Twitter.

Prince reports that both Google and Twitter have been notified of the problems, with Twitter fixing the security vulnerability last Wednesday.

Google, meanwhile, is said to be looking into the problem and, in the meantime, is quoted as saying it does not think there is a great danger from the flaw.

A Google spokesperson said: "We do not believe this report contains evidence of substantial security issues."

"Trying to trick someone into copying unfamiliar, suspicious code into a Google Calendar text field is neither a likely attack vector, nor one that we are seeing being exploited."

"Nonetheless, we will check the input validation mechanisms in Google Calendar text fields to help prevent any abuse of this capability before an event is sanitised."

Back with Goldshlager, meanwhile, and he says that the Google XSS vulnerability can be exploited if a victim adds malicious code to his quick add post calendar.

"When the victim adds this malicious code, his cookies and session ID will be stolen and will be sent to the attacker site," he said, adding that the attacker can then gain full control of the victim's Google accounts.

What’s hot on Infosecurity Magazine?