A security vulnerability in Google Docs allowed malicious hackers to take screenshots of private documents, a security researcher has found.
Reported by Sreeram KL under the Google Vulnerability Reward Program, the bug arises from a misconfiguration in the popular online word processor.
Stealing the screenshot
Many Google products have a ‘Send Feedback’ feature that allows users to report issues (in Google Docs it is called ‘Help Docs improve’). The dialog includes an option to send a screenshot along with the report, which is enabled by default.
Since the feature is shared across many applications, it is embedded as an iframe element from the main google.com domain.
To enable interactions between the Google Docs window and feedback iframe, screenshots taken from the Google document are stored in feedback.googleusercontent.com and sent across domains.
Sreeram’s goal was to find a way to cause the feedback iframe to post the screenshot to an arbitrary domain.
Previous research has shown that misconfigurations in headers can create opportunities to steal information from iframes.
PostMessage misconfiguration
Websites can include an x-frame-options header that, if set, can prevent clickjacking attacks and redirection of post messages to other domains.
Unfortunately for Google, the header was missing from the Google Docs application, so when you embedded it as an iframe in another webpage, you could manipulate the post destination of its inner iframes, namely the feedback dialog.
When a user types in feedback and clicks send, the screenshot of the Google document is sent to the attacker’s arbitrary domain.
“PostMessage misconfiguration has been a hot topic in recent times, so I was actively looking for one on Google products,” Sreeram told The Daily Swig.
“I was always amazed by Intigriti’s XSS challenges. I wanted to exploit quirks from those challenges in real-world applications – and it worked,” he said.
Sreeram posted a proof-of-concept video on YouTube:
This kind of bug is not limited to Google web applications.
“I strongly believe many other websites could also be affected by the similar bug, because many people aren’t really aware that the location of iframes can be replaced by a cross-origin domain,” the researcher warned.
Sreeram is currently ranked 37 on Google VRP’s hall of fame. This catch netted him a $3,100 bug bounty. Google has patched the bug following Sreeram’s report.