GoogHOle (XSS pwning GMail, Picasa and almost 200K customers)
Posted by: Giorgio in XSS, Google, NoScriptNot a great month for Google security.
In the past 3 days, 34 interesting disclosures have been published:
- Google Search Appliance XSS discovered by MustLive, affecting almost 200,000 paying customers of the outsourced search engine and their users: this Google dork shown 196,000 results at the time of disclosure, now dropped to 188,000. Fear effect?
- Billy Rios and Nate McFeters revealed the gory details of their already announced Picasa exploit, leveraging a clever combo of XSS, Cross Application Request Forgery, Flash same domain policy elusion and URI handler weakness exploitation to steal your private pictures, straight from your local hard disk, just visiting a malicious web page.
- Finally, the most simple yet impressive, because of the huge number of users involved: beford decided to launch his new blog disclosing a Google Polls XSS which, thanks to the (too) smart "widget reuse" allowing Google services to integrate the same functionality across multiple services, can be used to attack Search, Blogspot, Groups and, the most dramatic exploitation scenario, GMail:
- This POC steals your Google contacts
- This POC steals your GMail incoming messages, routing them to beford's mail address -- not a GMail account, obviously... :P
For such an attack to be successful, the victim just needs to visit a malicious website while logged in Google, e.g. by following a link from an incoming message (unless she's got anti-XSS protection).
- update -- a few hours after I released the first version of article, I heard of another Google-outsourced vulnerability, an Urchin Login XSS disclosed by GNUCITIZEN's Adrian Pastor, which could compromise local Google Analytics installations. Its severity may vary depending on how Urchin is installed (e.g. on a domain different than your main site), but the provided proof of concept is quite interesting because it shows an actual credential theft in action, rather than the usual, boring
alert('XSS')
. Not that a more spectacular example proves anything new about the dangers of XSS, but some people just don't believe until they can see with their own eyes.
These vulnerabilities are surely being fixed at top speed, since Google is one of the most reactive organizations in this fight, but they're nonetheless disturbing because they hit the very main player on the field, with the largest user base on the web: this make this kind of incidents unavoidable ipso facto.
How many vulnerabilities like those just go undisclosed and unpatched, but yet exploited by unethical hacrackers?
In Gareth Heyes' words,
This proves everything is insecure, there are just degrees of insecurity.
Talking about XSS, if you're an end user and you don't like to stay at the very bottom of the insecurity food chain, you'd better use Firefox with NoScript -- but that's your choice, of course. ;)
September 24th, 2007 at 4:10 pm
Whoosh! Very slick. I clicked on a link and waited before realizing that the code had already executed, entirely transparently. Time to reconfigure NoScript again...
September 24th, 2007 at 5:34 pm
[...] Last couple of days were particularly interesting as different users reported various hole’s and vulnerabilities of Google services and some published ones you can find on Hackademix.net. [...]
September 24th, 2007 at 6:11 pm
[...] Този материал описва доста притеснителни XSS дупки в сигурността на продуктите на Google. Явно авторът очаква средностатистическия читател да е доста изплашен, но предвид наличието на NoScript (споменат в материала), не съм чак толкова притеснен. Сега да очакваме инвазия на skiddies от “младата генерация”. [...]
September 24th, 2007 at 7:12 pm
[...] Multiple Google-targeted exploits disclosed in the past 3 days could compromise your GMail account, steal your pictures from Picasa or impersonate you on almost 200,000 big sites. [...]
September 24th, 2007 at 7:38 pm
noscript ftw!
September 24th, 2007 at 8:14 pm
[...] Firefox con NoScript están a salvo de las vulnerabilidades XSS, como su autor, Giorgio Maone, se encarga hoy de [...]
September 24th, 2007 at 8:36 pm
Giorgio,
Great recap and thanks for the postback, but I'm afraid you forgot a few... if you take a peak at our site (Billy Rios and I), you'll see that there's actually been two other exploits against Google this month. One, http://xs-sniper.com/blog/2007/09/18/the-old-dog-and-his-old-tricks-part-i/ discusses the use of a Google SMTP server to send arbitrary messages to anyone from Google/GMail.com from anyone from Google/GMail.com. The second, http://xs-sniper.com/blog/2007/09/20/bk-for-mayor-of-oak-tree-view/ is even scarier (if you plan on using Google Docs) as Billy discovered a way to read the contents of arbitrary documents AND EDIT the contents of arbitrary documents.
All this, and I can guarantee that there will be more from the two of us this month as I know Billy has a couple more he's just waiting to talk to Google about.
September 24th, 2007 at 8:53 pm
Nate,
I'm a regular reader of your blog and I've seen both those posts.
The mail sending issue is not Google-specific, as it applies to almost any SMTP server: it's just the way unsigned email works.
The Google Docs one... well, I must confess I just forgot it: that's not easy keeping the count now ;)
Eagerly waiting for the upcoming news...
Cheers to both you and Billy :)
September 24th, 2007 at 11:45 pm
Haha, agreed, it isn't Google specific, anyone could make that mistake, but I do agree that it's been a rough month for them. Just wait for, oh, say Tuesday... I think Billy will scare some people with his next two posts.
September 25th, 2007 at 11:40 am
how about another 0day for GMail?
September 25th, 2007 at 12:09 pm
pdp, what are you waiting for? ;)
September 25th, 2007 at 2:47 pm
I feel kind of dirty... I will contact Google first, I guess. Do you want to try it?
September 25th, 2007 at 4:03 pm
pdp, I assumed you already contacted Google, you nasty boy.
Yes, please do the right thing contacting Google first and yes, I'd like to have a sneak peak in the meanwhile :)
September 26th, 2007 at 3:02 pm
[...] beveiligingslek in GMail te maken, ook in Analytics, Picasa, Polls en de Search Appliance zitten gaten. In het geval van de Search Appliance, dat zo’n 200.000 betalende gebruikers heeft, gaat het [...]
September 26th, 2007 at 6:40 pm
[...] First this week started with news of three serious vulnerabilities in Google’s services and products - via hacademix.net post GoogHOle (XSS pwning GMail, Picasa and almost 200K customers). [...]
September 27th, 2007 at 8:20 am
really bad month for google, we all shud disclose the holes we found... KEeep it up.
September 27th, 2007 at 10:09 pm
[...] developer Giorgio Maone offers a very good analysis in his Hackademics blog of which Google programs are flawe... and who discovered them. He outlines four [...]
September 28th, 2007 at 9:58 am
[...] per Informaction e autore di popolari estensioni per Firefox come FlashGot e NoScript, commenta su Hackademix.net: “i dettagli rilasciati da Petkov sono più che sufficienti per realizzare un PoC in 10 [...]
September 30th, 2007 at 7:53 pm
[...] google, bagi yang berminat untuk mengetahui lebih jauh bisa membaca pada blog nya Giorgio Maone di sini. Dari link tersebut kita juga dapat mencoba POC untuk eksploitasi google, namun seperti nya [...]
October 3rd, 2007 at 6:15 am
[...] . göze çarpan yeniliklerden birisi de bugunlerde google’ın da başını fena halde ağrıtan csrf ataklarına karşı güvenlik önlemlerinin alınması. yeni versiyonu denemek için gem [...]
October 25th, 2007 at 4:17 pm
[...] Maone’s post at Hackademix.net also reports other Google XSS vulnerabilities that have recently come to light, targeting gmail, [...]
February 20th, 2008 at 9:17 am
[...] This is all a long lead-up to this link, from hackademix.net, about four recent security weaknesses in google. [...]
May 15th, 2008 at 3:42 pm
damn.. i came late to this info..
beford dot org leads me here..
the poc link for "stealing incoming messages" are dead..
where can i find more information about that?
May 15th, 2008 at 4:29 pm
@karthi:
those links are not dead, it's just the vulnerability which has been fixed.
If you want to check how it used to work, you can just look at the source code:
view-source:http://beford.org/stuff/contacts.htm
view-source:http://beford.org/stuff/gmail.htm
May 16th, 2008 at 4:07 am
@Giorgio
OMG..
pls forgive my ignorance..
so, if someone opens the page when they are loggend onto gmail, the filter is set..?
May 16th, 2008 at 9:28 am
@karthi:
No, nothing bad happens anymore because the bug has been fixed by Google.
But yes, that was how it used to work originally.
May 17th, 2008 at 2:47 pm
thank you giorgio..
i read on other blog that, one can hack my pwd by making me to click an image or some other links using javascript..
is it really possible?
May 17th, 2008 at 3:49 pm
@karthi:
yes, they can, provided that the site is vulnerable to XSS.
May 17th, 2008 at 5:05 pm
hmm.. so.. noscript can block this type of attack??
hey.. besides, do you feel that i'm asking too many kiddie questions??
coz, i am a new born in this field..
June 11th, 2009 at 8:14 am
You can't hack gmail. That is b.s. My computer guy said it isn't possible. ticketslayer@gmail.com LOL