Nir Goldshlager, a researcher with Avnet Information Security Consulting in Israel, says he also has found an HTML injection issue that could be used to redirect a victim to an attack site any time the user views Google Calendar agenda events, according to an eWeek report.
Goldshlager sent the code to eWeek, which, in turn, contacted Twitter and Google about the vulnerabilities, according to the report. Twitter issued a fix for the problem Dec. 30, and Google said Dec. 31 it would examine Google Calendar's input validation process to help address the situation.
"We do not believe this report contains evidence of substantial security issues," a spokesperson for Google said. "Trying to trick someone into copying unfamiliar, suspicious code into a Google Calendar text field is neither a likely attack vector nor one that we are seeing being exploited. ... Nonetheless, we will check the input validation mechanisms in Google Calendar text fields to help prevent any abuse of this capability before an event is sanitized."
According to Goldshlager, the XSS vulnerability can be exploited if a victim adds malicious code to his "quick add post" calendar, the news report says.
"When the victim ... [adds] this malicious code, his cookies [and] session ID will be stolen and will be sent to the attacker site," Goldshlager said. "Then the attacker will be able to get full control of the victim's Google accounts."
Goldshlager also demonstrated how the HTML injection vulnerability could be used to log a user out of his Google account, according to the report. The Google spokesman said the HTML flaw "is of negligible security impact" and "can be avoided by not clicking on the link."
According to the report, Goldshlager advised Google to "fix this immediately, because an attacker can redirect a victim to any site that he wants, and [with] the XSS issue, an attacker can steal the victim's cookies and get full control of his accounts."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.