[seldo]

Does anyone else feel that XSS on google.com is probably worth a bit more to the wrong people than $5k? Arbitrary-eval is pretty much the worst. Unless I'm missing something, somebody could steal a user's cookie strings and post them to an arbitrary endpoint, which could then use them to log into, e.g. GMail, which an attacker could then use to trigger and retrieve password-reset links for all sorts of other sites.

When I worked at Yahoo, an XSS on yahoo.com (which almost never happened) was a code-red, drop-everything, holy-shit event. If I were at Google I'd probably give this guy a bonus.

[RKearney]

In addition to the session ID cookies, you need the HSID cookie as well, which is HttpOnly. While this type of bug is bad, it doesn't allow for a malicious third party to get all of the cookies needed to take over the users session.

[damncabbage]

Why bother with session cookies when you can just throw up an official-looking login dialog on the google.com domain and just steal credentials from everyone not aware enough?

[arkem]

Also compartmentalization helps (Keeping products in different javascript origins, e.g. mail.google.com, accounts.google.com, etc)

[seldo]

Yes, but Google Finance is on google.com/finance (for some reason; I'm sure it used to be finance.google.com at some point...).

The importance of httpOnly had somehow escaped me until today :-)

[hkmurakami]

I use Google Finance, Yahoo Finance, Marketwatch, Bloomberg and the WSJ stock pages very frequently and can confirm that Google Finance was on finance.google.com until quite recently. Pretty sure it was there earlier this year.

[PavlovsCat]

Yes, but Google Finance is on google.com/finance (for some reason; I'm sure it used to be finance.google.com at some point...).

Cookies set for just subdomain.hostname.com can only be "seen by" that particular subdomain, while cookies set for hostname.com can be seen from hostname.com and any and all subdomains. I think that's why they do it constantly, at least stuff like www.google.com/glass certainly makes no sense otherwise. Why not make a fancy new domain for that? I think it's cookie greed.

[toast0]

cookie greed doesn't explain it, because they don't issue any cookies for www.google.com, or at least, I don't have any; they do issue cookies for .google.com, which www and finance can access equally. It's either a branding thing, or a they paid for the fancy load balancer so they're going to use it thing.

[PavlovsCat]

That's a good point, I stand corrected. Of course, if you wanted to be "minimal" about cookies, you'd have to use a subdomain, but using one doesn't mean anything by itself.

[KnightHawk3]

calendar.google.com got changed too recently.

[esailija]

The cookie scenario is not really practical since you can prevent javascript from reading cookies with httponly and I could bet a lot google uses httponly cookies where it matters.

The real threats I imagine is social engineering it enables or running code on the users' machines through browser plugin vulnerabilities. Also, running signed Java with a fake certificate is just a dialog confirmation from the user.

But I agree on your other point.