Hackers Could Have Accessed Your Private Documents By A Bug In Google Docs
Google Docs is a free web-based application in which anyone can create, modify and manipulate documents online by having an Internet connection and a full-featured browser. Google has a feedback tool across all its services and a bug was discovered in that tool earlier this year. The bug could have let the attackers gain access to crucial documents on Google Docs easily by placing them onto a malicious website.
Security Researcher Sreeram KL was able to discover the bug on July 09. He was also rewarded with an amount of $3133.70 under a program called Google’s Vulnerability Reward Program. He stated in a blog saying “I was able to hijack Google Docs screenshot of any document exploiting post message misconfiguration and browser behavior”.
Google Docs and most of the Google’s products comes with an option of “Send Feedback” and “Help Docs Improve” in case of Google docs. It is a general and common feature used to send feedback when facing an issue and also allows users to add a screenshot to specify the issue in a detailed and visual manner.
The feedback function is not programmed in all the services, instead, it stays only in Google’s main website and is served on other applications using an iframe element. An iframe is a component of an HTML element that can be used to display a secondary page or pop-up on the main page from a different source. In this case, the feedback feature is popped-up from “feedback.googleusercontent.com”.
So, whenever a screenshot from Google Docs was added to the feedback feature, to render the image, it transmits the RGB values to the Parent Domain of every pixel, which is then redirected to the feedback domain, thus building the image and then sends it back in an encoded format – Base64.
The bug was available in the process in which the post messages were transmitted to “feedback.googleusercontent.com”. The transmission process allowed attackers to manipulate the iframe element and modify it to an external website. This will prevent the screenshots from being uploaded to Google’s servers and will take them to the malicious external website.
Changing the target origin of the message and exploiting the cross-origin communication between the page and the frame contained in it was only possible because it lags an X-Frame-Options header in the Google Docs Domain. However, this attack would require the user’s involvement (clicking the “Send Feedback” button), to capture the uploaded screenshot URL and transmit it to a malicious website, still, it could be exploited by taking control over the pop-up frame and redirecting content to a domain to the hacker’s choice.
Security concerns elevate when one fails to come up with the target origin during cross-origin communication as it discloses data to a malicious website.
If you like this article, follow us on Twitter, Facebook, Instagram, and Linkedln.