A “significant” vulnerability has been found in the page-caching technologies of the three major search engines - Google, Yahoo, & Microsoft Live Search. Researchers at Aladdin Knowledge Systems discovered the flaw, which allows the search engines to deliver malicious pages that have already been removed from the web. The discovery was made when the researchers were analyzing the content of a hacked university website, which had been cleaned up. However, the malicious content was still accessible through the search engines’ cached pages.

To take advantage of this flaw, Aladdin suggestions that an attack could create multiple malicious web pages at various hosting services, do some promotion of them into the search engines, and then take the pages offline so it appears as if there is no threat. Then, a series a links amongst multiple websites could be used for a cross-site scripting attack. (more…)