None’s perfect, even google isn’t ! Thanks to REz (CeSeNA group’s guy) I found out this interesting feature (or bug ?).

Let’s try it by yourself, this is the vulnerable link:
http://www.google.com/custom?hl=en&cof=L%3Ahttps://lh5.googleusercontent.com/-EvyPBS_l_xs/AAAAAAAAAAI/AAAAAAAAAAA/zPEV7I5plmE/photo.jpg?sz=200&q=http%3A%2F%2Fwww.marcoramilli.com%2F&btnG=Search
The cof variable seems to be not filtered. Even the best web company on the web can fall on common vulnerabilities.
Here TheHackerNews report.
UPDATE-1:
If you think like Anonymous:

“There’s nothing weird about the “col” argument. It’s there to let users add a logo to the search page, when they embed a site search on their own page. It’s restricted to a specific Google domain, and there’s no way to break out of the src attribute.”

Please try by yourself before writing insulting comments…..
Here the link is:
http://www.google.com/custom?hl=en&cof=L%3Ahttp://profile.ak.fbcdn.net/hprofile-ak-snc4/41644_100001697891319_8196115_n.jpg&q=http%3A%2F%2Fwww.marcoramilli.com%2F&btnG=Search
As you can see: profile.ak.fbcdn.net is outside specific google domain.
Again, I have not changed (or personalized) the Google Logo. It’s still there. BTW I am not saying that this is a huge Google Bug and that you can exploit or whatever… I am just saying that you can insert through “cof” and “L” something weird, at least to me… is this a feature ? Well, cool I’m fine. Please stop to be offensive hiding behind Anonymity.
UPDATE-2:
Many emails from forced me to change the title from Google XSS to Google Feature or Bug ?

20 thoughts on “ Google Feature or Bug ? ”

  1. Frequently visiting the great info is visible in this website that to using the great info is visible in this blog. Thanks a lot for providing the great info is visible in this blog that to sharing the great technology in this website.

  2. Although not a must, most good quality blogs are interactive, allowing visitors to leave comments and even message each other via GUI widgets on the blogs and it is this interactivity that distinguishes them from other static websites. In that sense, blogging can be seen as a form of social networking. Indeed, bloggers do not only produce content to post on their blogs but also build social relations with their readers and other bloggers.

    Alexis Bob
    web design company | web design halifax | website design halifax | web 2.0

  3. So how … exactly .. do you propose to exploit this? By linking an image so foul the poor target user breaks down and voluntarily emails you his password?.usagamezone.blogspot.com

  4. Hi,

    You might already be aware of this, but the RSS feed on your site includes a single word, “marketing”, linking to “hxxp://www.bidvertiser.com/bdv/BidVertiser/bdv_advertiser.dbm”. Seems a bit fishy to me.

    cheers,

    – pgl

  5. Of course my dear friend it is not an XSS. It was only an example to show you how your ironic comment ( “So how … exactly .. do you propose to exploit this? By linking an image so foul the poor target user breaks down and voluntarily emails you his password?” ) was not ironic at all. My point was, and is on the strange way they filter the variable. If you get some tries, as I already said here (“If you try with quick inclusion you might see that google does not filter ” ' “,”\”,”/”, and so forth while it filters ” ” ” and ” >< ". So the behavior is pretty weird. Probably it's not a huge problem but I think it would be nice to investigate further in this parameter (col) called with this particular tag "L:".") you will probably get my point. Please if you are interested on following this topic please contact me directly, for example skype could be a good way to reach me or email me. Thank you very much.

  6. @Anonymous:

    1) ” So how … exactly .. do you propose to exploit this? By linking an image so foul the poor target user breaks down and voluntarily emails you his password?”

    Yes, it might be a nice attack. A sweet “YOU WON” picture saying the user has to connect to X and drop there a special code for example. X will be malicious web-site.

    2) Please read the updates

  7. So how … exactly .. do you propose to exploit this? By linking an image so foul the poor target user breaks down and voluntarily emails you his password?

  8. @ Anonimous: “There's nothing weird about the “col” argument. It's there to let users add a logo to the search page, when they embed a site search on their own page. It's restricted to a specific Google domain, and there's no way to break out of the src attribute.”

    http://www.google.com/custom?hl=en&cof=L%3Ahttp://profile.ak.fbcdn.net/hprofile-ak-snc4/41644_100001697891319_8196115_n.jpg&q=http%3A%2F%2Fwww.marcoramilli.com%2F&btnG=Search

    As you can see: profile.ak.fbcdn.net is outside specific google domain. Again, I have not changed (or personalized) the Google Logo. It's still there.

  9. That's not even close to being an XSS vulnerability.

    Had it been an *actual* vulnerability, disclosing it like this would be lame. Be responsible, and don't spread sensationalist bullshit.

  10. Well, the feature in the “col” variable called with a “L:” tag is not trivial at all, and I am not sure what is the meaning of that. I still did not try including anything else rather then an image. If you try with quick inclusion you might see that google does not filter ” ' “,”\”,”/”, and so forth while it filters ” ” ” and ” >< ". So the behavior is pretty weird. Probably it's not a huge problem but I think it would be nice to investigate further in this parameter (col) called with this particular tag "L:". @Boris: I did not change any Google logo. If you see in the picture the Google logo still is where it should be.

  11. I also think it's not a security flaw but a feature.

    Most websites which have a “Search using Google” feature change the Google logo for the website logo.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.