The French Security Expert Issam Rabhi Has Discovered an XSS Vulnerability in Google Search. This Has Been Thought to Be Impossible After Many Other Security Experts and Vendors Have Probed the Technology Company.
French Researcher Identified a Cross-Site Scripting (XSS) Security Issue in Google’s Interface.
The French security expert Issam Rabhi has discovered an XSS vulnerability in Google Search. This has been thought to be impossible after many other security experts and vendors have probed the technology company.
The issue was identified in the custom widget that the company has implemented for the Olympics in Rio. Rabhi is employed for Sysdream, a French security vendor. The issue affects only the French version. The exploit is a reflected XSS where the attackers have to follow a specific mechanism to initiate the vulnerability. They have to convince the victim into accessing a Google link containing malicious code in the URL’s parameters.
The XSS vulnerabilities are often dismissed in bug bounty programs because they need specific conditions to cause any harm. However, they allow criminals to execute more dangerous attacks and collect cookies from the victims. In some hacks, they can even compromise and hijack the accounts of their victims.
The security risk attributed to the issue is rated as low. The researcher has provided a proof of concept test code that shows how the XSS vulnerability can be exploited by malicious users.
Google still use the affected widget to show the final results, now with the security issue fixed after the public disclosure.