Saturday, October 13, 2007

Vulns of Google that where, and are not?

Well, this are the bugs at Google services that even do are fixed now, where around for a while.

First I have to say that the Google Security Team (yeah, that sounds like a hacking team xD), responded very well and quickly many times the same day, or 1 day after the report.

In an exchange of 35 mails (give or take), between each other, the following vulnerabilities where reported and fixed:

1.- XSS at GWT/MDP < http://www.google.com/gwt/mdp/x/en/detect/1?manually=true&brand=sirdackcat&model=sirdarckcat.net%3Cscript%3Ealert(document.cookie);%3C/script%3E >

The response to this mail had the following signature:

Erik, Google Security Team
NOTE: This message was sent by a human.

:P r0cks
the vulnerability was reported on July 27, and fixed on August 4.

2.- A CSRF+XSS vuln in Google Pages + Google Apps For Your Domain

1.- You need to make your victim log in into the attacker GoogleAppsForYourDomain (google pages) account.. to do that is not difficult.. you can make a simple script that submits a form the same way:
https://www.google.com/a/ DOMAIN /ServiceLogin
it's important to take into consideration, that the attacker will reveal the user and password (of his googleappsforyourdomain account) to the victim.

2.- Once your victim is logged in, you make your victim to go to a "preview" cached version of a page that has a script.. and that's all.

It sounds difficult, but it wasn't, the preview page could be reached with just 1 token that was revealed at signing up proccess.

Well, that one was reported on August 19 and fixed on September 4

Then, the same day, there was another one, now in the edition page.
3.- Another XSS+CSRF vuln in Google Pages + Google Apps For Your Domain.

In an unpublished page, add this code:
iframe src="javascript:alert(123);">< /iframe >

and then when you leave the site the code will be executed, and every time someone enters to that page..(or leaves) this could also be used to attack GoogleApps pages, when there is more than 1 admin.

Well, this one had a PoC, and was pretty cool :P, but it had some usernames and passwords, so if I release it, then the PoC wont last a second.. ¬¬

4.- Data Spoofing at Google Analytics.
Well this one is still "live", so I wont get on many details.
An attacker can make someone using Google Analytics beleive, that they came from your site (referrer), even if they haven't, they can make them change the URL of the report of activities on certain user, and a lot of cool stuff that are based on this.

5.- Google Mashups, XSS and Design Flaw.
lol, I've already reported this one here.. the XSS doesn't exist anymore, and the Design Flaw wont be fixed.

6.- Youtube redirection?
Is not a vulnerability on youtube, but in some plugins, that abuse it.. here it is.

7.- More cool stuff still about to be patched.
yeah, well, there are a few other vulns that will probably get fixed in the following weeks :P

For the guys that have asked me on the past, "why do you do this for free"? well, thats because.. it's like a hobby, I use google a lot, and I am curious.. I have a very cool Google T-Shirt, and well, maybe in the future I can make my name appear over here..

Greetz!!