December 28th, 2014

Google’s XSS Problem: It happens in the best of families

A couple of days ago, this guy found an unbelievable XSS vulnerability on Google’s result page.

Basically when you add your site to Google index you can add some links that are shown as breadcrumbs in the result page and the user can click. In this post he shows how Google was not validating the input for those links, allowing you to write something like javascript:alert('hello!'), that executes on google.com origin when the user clicks the link.

Of course Google fixed this issue pretty fast, but the funny thing is that it was there since breadcrumbs functionality was available.

The lesson that we should learn is that this kind of XSS are everywhere on the web, from the smallest to the biggest company and that is not enough with regular developers, all the companies must have security experts reviewing the code all the time.

So the question is… Are you checking your code for XSS vulnerabilities enough?