Minor security hole in Google

Webmasterworld's "hitchhiker" and I found a security hole in Google today. He searched for something like "this can't be true" and his browser reported a JavaScript syntax error. I pointed out that with a carefully constructed query string, you can get Google to spit out something syntactically valid that does whatever you want. For example:

http://www.google.com/search?q='+alert(document.cookie)+'
causes Google to generate the following onClick attribute: onClick="c('http://images.google.com/images?q='+alert(document.cookie)+'
&hl=en&lr=&ie=UTF-8&c2coff=1&safe=off','wi',event);"

If you follow the link and click a tab (web, images, groups, directory, news), you'll see your Google cookie in a dialog.

Hitchhiker responded:

I just can't believe G made that kinda mistake.

ESCAPE ESCAPE!

Escaping is not always the best solution. When I found a similar hole in some JavaScript code in Mozilla, ducarroz's solution was to use an alternative window.setTimeout syntax. The normal version of setTimeout takes a string to be parsed and executed; the alternative version takes a function and parameters. Instead of escaping the untrusted input, we avoided parsing a string containing the untrusted input.

2 Responses to “Minor security hole in Google”

  1. Matt Brubeck Says:

    Looks like they fixed it. The single-quotes are now escaped with backslashes.

  2. Jesse Ruderman Says:

    Yep, it’s fixed now. And \ is already escaped as %5C, so I can’t type ‘ to get ‘ and defeat the escaping.