Google has fixed a security flaw on its web portal that
opened the door to account identity theft, phishing scams and other
threats.
The cross-site scripting vulnerability existed on the website
for Google's AdWords advertising programme and a customer training
site, said internet security company Finjan Software, which
discovered the flaw.
Finjan said remote attackers could have exploited the flaw to
hijack Google accounts, launch phishing scams or download malicious
code onto users’ computers.
Google confirmed the flaw and said it corrected the problem
before any user data was lost or compromised.
Finjan said the security problem related to forms on Google's
website not validating and filtering data entered into certain
fields. This left the way open for attackers to inject extra
content and scripts that could be run on users’ computers.
Attackers would have then been able to craft special web links
on the site, which would have to be clicked by users for their
machines to become compromised.