Google Urchin password theft madness

There is a trivially exploitable XSS vul on Google Urchin Web Analytics 5‘s login page. The vulnerability has been tested on versions 5.6.00r2, 5.7.01, 5.7.02 and 5.7.03 (latest). Previous versions are most likely to be affected as well. In case you didn’t know, Google Urchin is the install version of Google Analytics.

I reported the issue to Google back on Jul 25 and was confirmed by their security team. They are now working on a fix. [...]

more | comments | comments rss | posted by