Google has fixed a flaw in Google Docs that allowed an attacker to hijack sessions on any Google service — but security experts say that the real damage is being caused by Internet Explorer, not Google's technology.
Security researcher Bill Rios reported yesterday that a cross-site scripting (XSS) attack against Google Spreadsheets could have exposed all of Google's services to attackers.
An XSS attack can occur whenever a legitimate site accepts input from the user without filtering it properly and could allow the injection of potentially malicious instructions that could compromise the user's PC. The risk is compounded in this case as a single user account can be used to access any number of Google services from Docs to Gmail.
Google fixed the flaw before it was made public, according to a Google spokesperson, and the company has not heard of it being exploited.
Although the attack exploited a flaw in Google, security experts say browser makers are also responsible for putting users at risk.
"Both systems are partially at fault. The ability to inject HTML code including embedded script into a cell of a spreadsheet document processed in a browser by a Web application is potentially unsafe to begin with," McAfee senior research scientist, Nishad Herath, told ZDNet.com.au.
Want to know more?
For all the latest news, analysis and opinion on security, click here
Browser makers such as Apple, Microsoft, Opera and Firefox are shirking their responsibilities to Internet users by failing to comply with Web standards, according to Herath.
"The Web is shifting fast from a static content landscape to a predominantly dynamic content... Browser vendors therefore should pay more attention to potential security implications of how browsers do things to make sure that they provide the best possible support to Web application developers in developing secure Web applications."
Security researcher Blake Frantz of Leviathan Security has analysed how Firefox, Safari, Internet Explorer and Opera render file types. In a report called Flirting with MIME types, Frantz found that, while all browsers indiscriminately rendered file types as HTML, Internet Explorer was the worst offender, rendering 696 file types out of 735 tested, while Opera reached just 14, Firefox eight, and Safari seven.
Robert Vamosi from CNET News.com contributed to this story
"The ability to inject HTML code including embedded script into a cell of a spreadsheet document processed in a browser by a Web application"
How is the browser supposed to know whether it's injecting HTML into "a cell of a spreadsheet document" or into the cell of a regular HTML table? Sorry, but precognition doesn't even exist in humans, let alone in software.
Looks to me like Google just want to blame everybody but themselves for their bug.