Google has patched a bug in its feedback tool embedded across its services that an attacker could exploit to steal screenshots of potentially sensitive Google Docs documents by incorporating them into a malicious website.
The flaw was discovered on July 9 by security researcher Sreeram KL, for which he was awarded $ 3133.70 as part of Google’s Vulnerability Reward Program.
Many Google products, including Google Docs, come with a “Send feedback” or “Help Docs to improve” option that allows users to send feedback along with an option to include a screenshot – something that is uploaded automatic to highlight specific issues.
But instead of having to duplicate the same functionality across its services, the feedback feature is used in Google’s main website (“www.google.com”) and integrated into other domains via an uploading iframe component include the pop-up of “.googleusercontent.com feedback.”
This also means that whenever an image from a Google Docs window is included, rendering the image requires the RGB values of each pixel to be transferred to the parent domain (www.google.com), which then redirect those RGB values to the feedback domain, which eventually compiles the image and sends it back in Base64 encoded format.
However, Sreeram identified a flaw in the way these messages were transmitted to “feedback.googleusercontent.com,” allowing an attacker to adapt the frame to an arbitrary, external website, and in turn steal and hijack Google Docs screenshots is supposed to be uploaded to Google servers.
Notably, the flaw is due to the lack of an X-Frame-Options header in the Google Docs domain, which made it possible to change the message’s target origin and take advantage of the cross-source communication between the page and the it has a frame.
Although the attack requires some form of user interaction – ie. click the “Send feedback” button – it could easily exploit this vulnerability to capture the URL of the uploaded screenshot and promote it to a malicious site.
This can be achieved by incorporating a Google Docs file into an iFrame on a fraudulent website and hijacking the feedback popup frame to redirect the content to the domain of the attacker’s choice.
Failure to provide a target source during cross-source communication raises security concerns in the sense that it discloses the data sent to any website.
“Always specify the exact target origin, not *, when you use postMessage to send data to other windows,” Mozilla documentation states. “A malicious site can change the window’s location without your knowledge, and so can intercept the data sent using postMessage.”