Google has patched a bug in its comments instrument integrated across its services that could be exploited by an attacker to likely steal screenshots of delicate Google Docs files basically by embedding them in a destructive web site.
The flaw was discovered on July 9 by safety researcher Sreeram KL, for which he was awarded $3133.70 as aspect of Google’s Vulnerability Reward Program.
Numerous of Google’s merchandise, which include Google Docs, come with a “Send out feedback” or “Support Docs make improvements to” alternative that permits buyers to ship feed-back together with an possibility to include things like a screenshot — something that’s automatically loaded to highlight certain issues.
But instead of possessing to copy the exact features throughout its solutions, the comments element is deployed in Google’s major web-site (“www.google.com”) and integrated to other domains through an iframe aspect that masses the pop-up’s content material from “opinions.googleusercontent.com.”
This also usually means that when a screenshot of the Google Docs window is incorporated, rendering the picture necessitates the transmission of RGB values of every single pixel to the parent domain (www.google.com), which then redirects individuals RGB values to the feedback’s domain, which eventually constructs the picture and sends it back in Foundation64 encoded structure.
Sreeram, nonetheless, recognized a bug in the manner these messages had been handed to “feed-back.googleusercontent.com,” as a result permitting an attacker to modify the body to an arbitrary, external web site, and in flip, steal and hijack Google Docs screenshots which ended up intended to be uploaded to Google’s servers.
Notably, the flaw stems from a deficiency of X-Frame-Alternatives header in the Google Docs area, which designed it probable to change the goal origin of the information and exploit the cross-origin communication involving the page and the body contained in it.
Whilst the attack calls for some sort of person conversation — i.e. clicking the “Mail feedback” button — an exploit could conveniently leverage this weak spot to seize the URL of the uploaded screenshot and exfiltrate it to a malicious web-site.
This can be realized by embedding a Google Docs file in an iFrame on a rogue site and hijacking the feedback pop-up body to redirect the contents to a domain of the attacker’s alternative.
Failing to give a focus on origin for the duration of cross-origin communication raises protection worries in that it discloses the knowledge that is despatched to any site.
“Constantly specify an actual focus on origin, not *, when you use postMessage to send information to other windows,” Mozilla documentation states. “A destructive site can alter the locale of the window without the need of your understanding, and for that reason it can intercept the data sent utilizing postMessage.”