Google as platform for attacks

WS201503 – Google as Platform for Attacks
by Miguel Regala
www.websegura.net

Google is vulnerable to a combination of problems that allows the attacker to use solely the Google platform and it’s ‘secure’ services as a vector for other attacks.

The problem encomprises a LCSRF in a logout handler, open redirectors and leavaring the sites.google.com functionality. Following are the reproduction steps for a scenario where the attacker tries to capture the Google credentials of a victim.

Reproduction steps:
1. Malicious user sends victim the link:

http://www.google.com/accounts/Logout2?service=wise&ilo=1&ils=cl,doritos,mail,writely,o.inbox.google.com,youtube.com,s.PT
&ilc=1&continue=https://sites.google.com/site/malicious-website/

2. Victim is logged out of Google services and redirected to a webpage controlled by attacker
3. Webpage (hosted in sites.google.com) mimics login form from Google and stores credentials (e.g. in a spreadsheet on Google Drive)

 

 

goog
4. Victim is redirected to real login page, with a forced error message, prompting it to enter credentials again

The attack shares the backbone of a XSS attack. The particular quirks of this scenario is the fact that everything is done under the google.com domain. Google sites doesn’t allow you to load Javascript from other domains, unless some libraries hosted by Google. This would limit the ability of an attacker to store the captured credentials, since he would not be able to send those to another domain. However, he can simply use Google App Scripts and hook the submit button to save the credentials to a Google Document, for example.

After the attack, the user might be redirected to the real login page, under the pretext that the login credentials were incorrect.

Google does not consider this attack as a vulnerability, however it’s an example of how the chaining of some features considered as not vulnerable can lead to a potential problem.

Timeline

1 Mar.15 – Submited to Google
2 Mar.15 – Google replied that the vulnerability is out of scope
06 Mar.15 – Disclosure

Achaste interessante? Partilha!