Cross-site scripting (XSS) vulnerabilities seem to be cropping up at major web sites all over.
In one case, in the Google Apps webpage, hosted on the google.com domain, has the vulnerability, said Ucha Gobejishvili, also known as longrifle0x, who found the flaw and reported it to Google.
Even though the risk level is low, if unresolved, the security hole present in one of the search modules could allow a remote attacker to hijack cookies and even steal accounts.
On the other hand, the attacker would have to social engineer the victim into performing certain tasks for the session hijacking to be successful.
The vulnerability, reported on January 21 and the vendor responded January 23, still exists on the Google page.
This is not the only vulnerability found by longrifle0x. The Forbes search page, Ferrari’s official online store, MTV, and the social network MySpace also contain the same type of vulnerability. None of them has a patch up and reports from XSSED reveal the domains already suffered from some hits.
XSS vulnerabilities are very common in commercial websites.
Last week, hackers from TeamHav0k found such bugs in other high-profile websites such as the ones belonging to Rochester Institute of Technology, Arizona State University, NYU Poly’s Center for Advanced Technology in Telecommunications, Michigan State University and Aurora University.
TeamHav0k also found cross-site scripting bugs in sites that belong to Verizon, Huffington Post, European Organization for Nuclear Research (CERN) , Electronic Arts (EA), IGN and The New York Times.