Security researcher Sreeram KL has reported a vulnerability in the feedback tool in Google services.
The company has patched the flaw which could have allowed attackers to steal screenshots of sensitive Google Docs documents by embedding them in a malicious website. The researcher was awarded $3133,70 according to Google’s Vulnerability Reward Program.
Google Docs Vulnerability Explained
“I was able to hijack Google Docs screenshot of any document exploiting postmessage misconfiguration and a browser behavior,” Sreeram KL says in his report. The vulnerability he discovered resided in a Google feature called “Send Feedback”. The feature is present in most of the company’s products, and it allows adding screenshots with a brief description about an eventual issue.
“As this is a common feature available in most of their sites, they have deployed the functionality in https://www.google.com and have integrated to other domains via Iframe,” Sreeram explains. The researcher discovered a bug in the way the images were passed to “feedback.googleusercontent.com,” which could allow threat actors to modify the frame to an arbitrary, external website, eventually stealing and hijacking Google Docs screenshots meant to be uploaded to Google’s servers.
Where does the Google docs bug stem from? The bug originates from a lack of a X-Frame-Options header in the Google Docs domain. This could allow attackers to alter the target origin of the message and take advantage of the cross-origin communication between the page and the frame.
How easy is it to exploit the Google Docs bug?
It should be noted that an attack based on this bug requires some user interaction, such as clicking on the Send feedback button. However, the bug is still easy to exploit to capture the URL of the uploaded screenshot and upload it to a malicious site. This is done by embedding the Google Docs file in an iFrame on a suspicious site and hijacking the pop-up frame to redirect them to an attacker’s domain. In conclusion, not providing a target origin in a cross-origin communication is a security issue because it discloses the data sent to any site.
The researcher also provided a video proof-of-concept which you can watch on his blog.
In August 2020, security researchers discovered a vulnerability in Google Drive. The bug could allow threat actors to spread malicious files masqueraded as legitimate documents or images. Further, this could then enable attackers to carry out quite successful spear-phishing attacks.