Couldn’t think of a sarcastic title for this post, and I don’t think it makes a heck of a lot of difference anyway - it’s just news, and not much to worry about. The Google Search Appliance, that box companies throw on the rack to help them weed through data on their own networks, opens up a cross-site scripting vulnerability that can allow phishers to promote their own scams.

Google has already issued a fix, and if the organizations using the system don’t want to pay attention, it becomes their problem alone.

Cross-site scripting attacks are hitting major websites, including MySpace, YouTube, and even venerable oldies like MSN, Dell, and Apple.

XSS attacks were long a tool of cute little script kiddies who malformed sites for the joy of their cute little friends. As a result, some still question how big the threat really is.

Just when you get complacent, someone is going to figure out how to make money from a vulnerability. Then shit hits the fan, and a bunch of overpriced consultants run in to save the day while someone’s multi-million a year ecommerce site flails, frames displaying Winnie-the-Pooh notwithstanding.

XSS, welcome to the corporate world.

When a script kiddie injects a chunk of javascript or a frame into a website, it generally gets fixed pretty quickly and everyone laughs about it. Maybe developers should think twice - those XSS exploits can cause a lot of harm, as detailed here.

I just got though jumping through hoops, getting special characters stripped from forms galore in an app. It was a pain in the butt, and the whole time I was thinking “who cares” if someone sticks a random reference to some other site, or a smiley faced pop-up. I did the work anyway, but I certainly won’t be shrugging off the risks anymore.

***UPDATE***

Brian Krebs has uncovered a few big sites that are affected by XSS. The NSA? Heh.