On July 11 2013, I reported to Google Security a XSS vulnerability I discovered in google.commain domain, which required no user interaction.

It is due to a glitch in Google Finance, which is hosted on google.com/finance, that allows to trick the Javascript application for plotting charts (in particular, sourcefile /finance/f/sfe-opt.js) to load a file hosted on an external domain and eval() 

0 comments:

Post a Comment

WELLCOME MY WEB

 
Top