So came across this in march 2008 while posting my blog on XSS. I included example code and to my suprise it executed. I emailed Blogspot about this issue but no one really seemed to care. But Just so everyone knows, anyone can put malicious code into their blogspot blog. They designed it to be this way so that people will not be restricted in their blogging creativity. Well that's just great, thanks google for giving me the creative ability to pwn someone using one of the worlds most used blog sites. Take a look at google's solution to this issue.
http://help.blogger.com/bin/answer.py?answer=67427&topic=12469
They recommend that people report blogs who abuse this. Well how many people using blogger know what XSS is and what about more subtle XSS attacks like cookie theft etc... I think it is rediculous that google is leaving everyone open to this attack. A study posted on stopbadware.com lists google.com and the number 5 most infected domain in the world with 4261 infected sites. How many of those are blogger blogs? Does google really disable infected blogs? I doubt it.
http://www.stopbadware.org/home/badwebs
Here is another article about the issue by network world.
http://www.networkworld.com/news/2008/013108-attacker-google-blog.html
Google is notorious for ignoring security, and this is just another example.
1 comment:
One of my sites got compromised and I remember that Google search eventually flagged it with a big warning sign saying that this site has been infected and is potentially dangerous.
However, I do agree that Google is not very concerned about security.
Post a Comment