Serafim
Advanced
- Joined
- 28.09.20
- Messages
- 130
- Reaction score
- 1,197
- Points
- 93
Google has fixed a vulnerability in its feedback tool used in its services. The vulnerability allowed you to steal screenshots of confidential documents from the Google Docs service by simply embedding them in a malicious site.
The vulnerability was discovered on July 9 by security researcher Sreeram KL, for which he received $3,133 from Google as part of a reward program for reporting vulnerabilities.
Many Google services, including Google Docs, are equipped with a feedback option that allows users to send feedback, bug reports, and suggestions for improving the service to the company. Users have the option to include screenshots that load automatically in their posts to illustrate the problem.
However, instead of duplicating the functionality across all services, Google implemented it on its main website (www[.]google.com) and integrated with other domains via an iframe element that loads pop-up content from feedback.googleusercontent.com. This means that every time you include a screenshot in the Google Docs window, rendering the image requires passing the RGB values of each pixel to the parent domain (www[.]google.com), which then redirects these RGB values to the feedback domain, which eventually creates the image and sends it back in Base64 encoded format.
Security researcher Sreeram KL identified a vulnerability in how these messages were transmitted to the domain feedback.googleusercontent.com. With its help, an attacker could replace the frame with arbitrary external web sites and thus intercept screenshots of Google Documents intended for sending to Google servers.
The vulnerability is caused by the absence of the X-Frame-Options header in the Google Documents domain, so an attacker could change the target source of the message and take advantage of the link between the page and the frame contained in it.
Although the attack requires certain user actions, such as clicking the "Send feedback" button, an attacker can easily exploit the vulnerability to capture the URL of the uploaded screenshot and move it to a malicious site. This can be achieved by embedding a Google Docs file in an iframe on a fraudulent site and intercepting a feedback pop-up window in order to redirect its content to a domain controlled by the attacker.
The vulnerability was discovered on July 9 by security researcher Sreeram KL, for which he received $3,133 from Google as part of a reward program for reporting vulnerabilities.
Many Google services, including Google Docs, are equipped with a feedback option that allows users to send feedback, bug reports, and suggestions for improving the service to the company. Users have the option to include screenshots that load automatically in their posts to illustrate the problem.
However, instead of duplicating the functionality across all services, Google implemented it on its main website (www[.]google.com) and integrated with other domains via an iframe element that loads pop-up content from feedback.googleusercontent.com. This means that every time you include a screenshot in the Google Docs window, rendering the image requires passing the RGB values of each pixel to the parent domain (www[.]google.com), which then redirects these RGB values to the feedback domain, which eventually creates the image and sends it back in Base64 encoded format.
Security researcher Sreeram KL identified a vulnerability in how these messages were transmitted to the domain feedback.googleusercontent.com. With its help, an attacker could replace the frame with arbitrary external web sites and thus intercept screenshots of Google Documents intended for sending to Google servers.
The vulnerability is caused by the absence of the X-Frame-Options header in the Google Documents domain, so an attacker could change the target source of the message and take advantage of the link between the page and the frame contained in it.
Although the attack requires certain user actions, such as clicking the "Send feedback" button, an attacker can easily exploit the vulnerability to capture the URL of the uploaded screenshot and move it to a malicious site. This can be achieved by embedding a Google Docs file in an iframe on a fraudulent site and intercepting a feedback pop-up window in order to redirect its content to a domain controlled by the attacker.