Thursday, April 26, 2007

Google Talk (gTalk) HTML Injection Technique

Via SecuriTeam -

Google Talk is "a service offered by Google instant messaging. It allows communication via traditional text or voice and is also integrated with Gmail. According to information released last year, Google Talk is used by more than 3 million users worldwide".gTalk chat screen, which uses an Internet Explorer control to display messages, pictures and requests to the user, is vulnerable to HTML injection. The flaw resides in the file transfer notification. A user does not need to accept the incoming file transfer, code is automatically displayed in the chat screen.If combined with additional techniques (discussed in the additional considerations section), this flaw may be used to execute arbitrary HTML code and script code in the user's chat screen.

Credit - The information has been provided by
Alec Storm.

Vulnerability Status - Google was notified, but it remains unpatched.

No comments:

Post a Comment