Google AdWords advertisers can rest easy this weekend, secure in the knowledge that Google has acted quickly to fix a potential cross-site scripting security vulnerability.
Adwords is Google’s principal source of revenue, allowing advertisers to buy pay-per-click or impression-based advertising on Google and content sites affiliated with Google.
The vulnerability was an HTTP Response Splitting flaw in the Adwords interface that could have triggered cross-site scripting (XSS), defacement, hijacked pages or other attacks against Google Adwords advertisers.
According to the description of the flaw posted by security researcher Debasis Mohanty, the HTTP Response Splitting flaw becomes possible when the user input is injected into the value section of the HTTP header without properly escaping/removing CRLF (carriage return line feed) characters, which can lead to two HTTP responses instead of one response.
Instead of publishing the flaw as a zero day exploit, Mohanty first submitted the flaw, with a proof of concept, to Google on November 20.
Google confirmed that the flaw was valid the following day but Mohanty just disclosed the flaw, which Google fixed, this week.
“Google was alerted to this issue and we worked quickly to fix the problem, which was resolved prior to the initial publication,” Google spokesperson Barry Schnitt said in a statement.
“We have no reports of exploits and applaud the reporter for following responsible vulnerability disclosure practices.”