Researchers expose Google Apps Security Vulnerabilities

Raff said that a small XSS issue in Google maps may bypass the browser's same-source policy to hijack Google, Gmail, or Google Apps accounts.

Two security researchers Aviv Raff and Adrian Pastor pointed out last week that Google Apps contain security design vulnerabilities.

Raff pointed out in the blog that users can access Google's various network applications through many Google subdomainsProgramIncluding Google Maps, Gmail, Google Images, Google News, and Google.com. The main problem is that hackers can exploit the security design vulnerabilities shared by cross-domain network applications.

A cross-domain shared network application means that other network applications can be connected under a specific domain. For example, the Google News Service can be used under a Google Maps domain.

Raff said, so a small XSS issue in Google maps may bypass the browser's same origin policy to hijack Google, Gmail, or Google Apps accounts.

Pastor published a conceptual verification program to attack the frame injection vulnerability in Google Images and embed a fake Gmail login webpage in Google images, then, the cross-domain network application sharing vulnerability is used to further convince users that this is a legal logon page.

Raff pointed out that he discovered the vulnerability in April this year and reported it to Google. At that time, Google said it would investigate the vulnerability, but never received a response from Google. With Pastor published the conceptual verification program, he decided to expose the relevant information so that Google could fix it as quickly as possible.