Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Vulnerabilities Discovered In Twitter, Google Calendar

Flaws could enable hackers to steal user IDs, cookies

Cross-site scripting (XSS) vulnerabilities in Twitter and Google Calendar could be used to steal cookies and session IDs, according to a security researcher.

Nir Goldshlager, a researcher with Avnet Information Security Consulting in Israel, says he also has found an HTML injection issue that could be used to redirect a victim to an attack site any time the user views Google Calendar agenda events, according to an eWeek report.

Goldshlager sent the code to eWeek, which, in turn, contacted Twitter and Google about the vulnerabilities, according to the report. Twitter issued a fix for the problem Dec. 30, and Google said Dec. 31 it would examine Google Calendar's input validation process to help address the situation.

"We do not believe this report contains evidence of substantial security issues," a spokesperson for Google said. "Trying to trick someone into copying unfamiliar, suspicious code into a Google Calendar text field is neither a likely attack vector nor one that we are seeing being exploited. ... Nonetheless, we will check the input validation mechanisms in Google Calendar text fields to help prevent any abuse of this capability before an event is sanitized."

According to Goldshlager, the XSS vulnerability can be exploited if a victim adds malicious code to his "quick add post" calendar, the news report says.

"When the victim ... [adds] this malicious code, his cookies [and] session ID will be stolen and will be sent to the attacker site," Goldshlager said. "Then the attacker will be able to get full control of the victim's Google accounts."

Goldshlager also demonstrated how the HTML injection vulnerability could be used to log a user out of his Google account, according to the report. The Google spokesman said the HTML flaw "is of negligible security impact" and "can be avoided by not clicking on the link."

According to the report, Goldshlager advised Google to "fix this immediately, because an attacker can redirect a victim to any site that he wants, and [with] the XSS issue, an attacker can steal the victim's cookies and get full control of his accounts."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...