Vulnerability in Google spreadsheets allows cookie stealingApril 14, 2008 – 6:09 AM
Security researcher Billy Rios has discovered a vulnerability in Google Spreadsheets which attackers can exploit using links to crafted tables to steal a user’s cookie. According to Rios, the victim has to follow such a link in Internet Explorer. The stolen cookie can be used to access all Google services with the victim’s identity, including reading the victim’s Google Mail.
Rios explains on his blog that the security vulnerability results from incorrect
content-type headers or the browser ignoring these headers in HTTP responses returned by the server. The problem is not confined to Internet Explorer: according to Rios, Firefox, Safari and Opera can also ignore the content-type header and attempt to determine the server response content type themselves.
“With this single XSS, I can read your Gmail, backdoor your source code (code.google.com), steal all your Google Docs, and basically do whatever I want on Google as if I were you!” notes Rios. Google has now fixed the vulnerability and the browser now renders such crafted table content as text rather than HTML.
Source: Heise Security