Google Apps hit by session-stealing assault

By Dave Nixon

A security researcher has exposed a grave flaw in Google Spreadsheets, which could give an attacker access to all of a user’s Google services.

While the bug, a cross-site scripting (XSS) flaw, has now been fixed by Google, it is a sign of the dangers that can go together with the growing popularity of Software as a Service (SaaS), according to researcher Billy Rios, who uncovered the problem.

Due to the way Google structures its authentication processes, a solitary XSS attack can deliver access to all of a user’s Google services and documents, Rios said.

The exploit relied on the way Internet Explorer resolves the content type of server responses, ignoring the content-type header in certain conditions. Browsers such as Firefox, Opera and Safari can be made to share the same behaviour, Rios said.

To perform the attack, Rios injected HTML into the first cell of a table, along with Javascript designed to display the user’s cookie. IE then rendered the content as HTML, allowing the cookie to be viewed.

The attack could be delivered via a link to the specially formed spreadsheet, Rios said.

Rios recently publicised a weakness (also now fixed) in Google Code allowing the robbery of passwords.

Google Apps began as a set of hosted services, but Google this month has started implementing offline access to them, beginning with the word processor, Google Docs.

Over the next three weeks or so, Google will activate the feature for all word processor users, giving them the capacity to view and edit documents offline. During the same time period, Google Docs’ spreadsheet will gain offline ability for viewing, but not editing documents.

Google Docs’ third constituent, an application to make slide presentations, will continue for now without offline access. Nevertheless, Google has plans to extend the offline access to it and to other hosted services in the Google Apps suite, of which Docs is part. Apps also includes Gmail, Calendar, Talk and others.