A security researcher recently discovered a pair of vulnerabilities in Google Cloud, DevSite, and Google Play allowing hackers to launch cross-site scripting (XSS) attacks, and creating the way for account hacking.
The first vulnerability is a reflected XSS flaw in Google DevSite. The hacker could exploit the vulnerability by employing malicious links to run JavaScript on the origins http://cloud.google.com and http://developers.google.com, meaning a malicious actor could read and alter its contents, circumventing the same-origin policy.
“Due to a vulnerability in the server-side implementation of part of the URL was reflected as html so it was possible to get XSS on the origins using that component from the 404 page,” researcher ‘NDevTK’, explained in a blog post.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: