Ucha Gobejishvili, also known as longrifle0x, found the flaw in Google Apps and reported it to Google.
Even though the risk level is estimated as low, if unresolved, the security hole present in one of the search modules could allow a remote attacker to hijack cookies and even steal accounts.
On the other hand, the attacker would have to social engineer the victim into performing certain tasks for the session hijacking to be successful.
The vulnerability had been reported on January 21 and the vendor responded on January 23, but at the time of writing the bug still exists on the Google page.
This is not the only vulnerability found by longrifle0x in the past days. The Forbes search page, Ferrari’s official online store, MTV, and the social network MySpace also contain the same type of vulnerability. Unfortunately none of them are currently patched up and reports from XSSED reveal that the domains were already XSS’ed.
Last year the same security expert found XSS in Opera, Sony Ericsson and the official site of sportswear provider Puma.
XSS vulnerabilities are very common in commercial websites. A few days ago, hackers from TeamHav0k found such bugs in other high-profile websites such as the ones that belong to Rochester Institute of Technology, Arizona State University, NYU Poly’s Center for Advanced Technology in Telecommunications, Michigan State University and Aurora University,
Beside university sites, the hackers also found the same security flaws in major US government sites.
A day before revealing this, TeamHav0k found cross-site scripting bugs in sites that belong to Verizon, Huffington Post, European Organization for Nuclear Research (CERN) , Electronic Arts (EA), IGN and New York Times.