Whoops. It happens even to the best of the best.

You try to close all the cross-site-scripting (XSS) holes in all of the dynamic pages distributed all over your domain, but forget the main page...

This time it happened to Google, but others had the same problem before, and will probably have it in the future.

Recently, we encountered an embarrassing XSS issue on the main search page of Google.

Nothing tricky. No pockets in our sleeves. Just a simple non existing query with a script, and poof the injected script is executed.

I don’t need to tell you how serious this issue was. Yes, was… Google was very quick to fix this issue, in just few hours.

Just for the record, here is a video demonstrating the vulnerability:

Posted by Aviv Raff