Google has patched a security hole on its main search-engine website.

It was notified of a cross-site scripting vulnerability in September, according to the security company that told it, Finjan. Google fixed the problem "within a few days", said a Finjan spokeswoman.

The vulnerability could have allowed a remote attack to take over Google accounts or fake Google content and deceive computer users into going to a bogus site and giving up personal information, Limor Elbaz, Finjan's vice president of business development and strategy, said.

Two sub-sites contained forms that did not validate and filter input. Because of the lack of data validation and filtering, the vulnerability could have allowed an attacker to inject content and scripts and steal users' cookies. When users were logged on, an attacker could then gain access to Google services such as account information, saved searches, Google alerts and the user's Google Groups identity, Finjan said.