Security researchers have unpicked a flaw in Google spreadsheets that allows cookie stealing. The cross-site scripting vulnerability enables attackers to use stolen cookies to access any Google service a user has registered, including accessing a victim's Google mail account.

Google has now plugged the vulnerability, discovered by security researcher Billy Rios. In a blog posting (http://xs-sniper.com/blog/2008/04/14/google-xss), Rios explains a caching flaw by Google, alongside problems in how browsers handle content-type headers, created a cookie stealing risk. A Google cookie is valid across all its sub domains, a convenience factor that greatly enhances the potential for mischief.

This particular XSS vulnerability on Google's domain takes advantage of how IE determines the content type of the HTTP response being returned by the server. Other browsers have problems in handling content-type headers properly, but this vulnerability is limited to IE.

Rios created a spreadsheet which contained HTML and a string of JavaScript code for viewing a user's cookie. He then saved this spreadsheet and generated a link for the spreadsheet to be served as a text-based CSV file, which IE mistakenly interprets as HTML.

Anyone viewing this doctored spreadsheet would hand over their cookies to Rios, or potentially an attacker, as explained here (http://xs-sniper.com/blog/2008/04/14/google-xss). Fortunately, Google has now rendered crafted table content as text rather than HTML.

Rios has been active in identifying XSS flaws in Google's web applications. Last week, he published an advisory (http://xs-sniper.com/blog/2008/04/04/insecure-content-ownership) about a flaw in Google code that lent itself to stealing users' passwords. Prior to that, Rios uncovered vulnerabilities in Google's Picasa, Heise Security adds (http://www.heise-online.co.uk/security/Vulnerability-in-Google-spreadsheets-allows-cookie-stealing--/news/110527). ®

Related stories

Royal Bank of Scotland takes three weeks to squash nasty Worldpay bug (20 May 2008)
http://www.channelregister.co.uk/2008/05/20/rbs_closes_security_hole/
Google launches security group for open source (6 May 2008)
http://www.channelregister.co.uk/2008/05/06/google_launches_ocert/
McAfee 'Hacker Safe' cert sheds more cred (29 April 2008)
http://www.theregister.co.uk/2008/04/29/mcafee_hacker_safe_sites_vulnerable/
Google (re-)branded world's greatest brand (22 April 2008)
http://www.theregister.co.uk/2008/04/22/google_is_worlds_greatest_brand/
Microsoft: Finding flaws on our website is OK (21 April 2008)
http://www.channelregister.co.uk/2008/04/21/microsoft_oks_online_flaw_finding/
Google earnings soar despite paid click dip (18 April 2008)
http://www.theregister.co.uk/2008/04/18/google_1st_quarter_earns/
Google paid click rate decelerates (again) (16 April 2008)
http://www.channelregister.co.uk/2008/04/16/google_paid_clicks_growth_sales/
Security experts warn against Web 2.0 charlatans and 'premature AJAXulation' (14 April 2008)
http://www.theregister.co.uk/2008/04/14/ajax_charlatans_old_school_attack/
Spam filtering services throttle Gmail to fight spammers (10 April 2008)
http://www.channelregister.co.uk/2008/04/10/web_mail_throttled/
EU demands Google slashes cookie retention times (8 April 2008)
http://www.theregister.co.uk/2008/04/08/article29_search_privacy/
Hackers find clever new way to hose Google users (6 March 2008)
http://www.channelregister.co.uk/2008/03/06/googe_iframe_piggybacking/
Google gears up for mobile security smackdown (5 March 2008)
http://www.theregister.co.uk/2008/03/05/google_gears_android_vulnerability/
Et tu, Gmail? Simple hack defeats last barrier to decades-old attack (1 February 2008)
http://www.channelregister.co.uk/2008/02/01/google_ssl_sidejacking/
Google proposes 'crumbled cookies' in privacy pledge (1 October 2007)
http://www.theregister.co.uk/2007/10/01/google_privacy_pledge/
Researcher crosses swords with Google over XSS 'flaw' (21 August 2007)
http://www.channelregister.co.uk/2007/08/21/google_modules_security_debate/