Google Vulnerability
Yesterday, I found a new Google.com XSS vulnerability that can be abused to steal information from Gmail accounts, I've done responsible disclosure of at least 3 vulns to Google, but since I haven't got enough 'motivation', I'll go full disclosure now.
The vulnerability exists in Blogspot polls feature, I had already disclosed a vulnerability on this system. The 'font' parameter was not being sanitized before being used inside an STYLE tag, so you could inject IE's expression() and Mozilla's -moz-binding. They fixed it, however they didn't check enough the rest of the code, the new XSS is:
Since its Sunday and there is nothing else to do, I've created 2 more pocs, one of them, shows a your contacts, the second one will make Gmail forward all new received emails to another email account, no user interaction required, well you just need to open a website while still logged to Gmail.
POC1: http://beford.org/stuff/contacts.htm
POC2: http://beford.org/stuff/gmail.htm
I have tested them under IE, Konqueror, Opera and Firefox, it should work on all of them. If you want to be protected against this kind of attacks, I'd highly recommend Firefox + NoScript.
Update: Google fixed this issue, I'd like to ask the people that looked at the second poc to disable forwarding if you have not done so, I'm still getting ton of email. This screenshot shows how to disable forwarding.
Ouch!
I love how you make your AJAX life easier by importing the Prototype library: dandy hacker
Fails with Firefox/NoScript …just FYI
sad that the issue is already fixed, dont see anything now
Hi -
I think perhaps both links do the forwarding? I believe that I only clicked on the contacts link.
But it looks like this sets up forwarding on the gmail account in question to your mailbox, since my gmail account has been forwarding to you for a couple of days.
Your account is now full, and bouncing, so I suspect I’m not the only one that clicked on it, and was left with all their email forwarding to you.
Sorry about that, and, of course, please delete.
I visited the poc page and saw nothing, but now I’m getting bounces from fernando@beford.org.
I guess I misunderstood the nature of XSS attacks– doesn’t restarting the browser fix the issue?
Ah, I’m dumb, I had no idea POC turned on gmail forwarding. Sorry for mailbombing you Fernando, I did not fully understand your POC.. and I get a LOT of freakin email via various Linux/FreeBSD mailing lists.
I guess that I should have added a bigger/better explained warning, I wasn’t expecting the exposure I got such as being on slasdot/cnet/theregister/etc. I’ve just disabled that email account.
All the code is up there, only the second poc enabled forwarding http://beford.org/stuff/
Great job, sir!
I actually played with your POC and then forgot about it… I guess I should have payed more attention!
It’s amazing to know just how many of us will click a link even when we know its bad… and it’s scary just how easy it is exploit something that most of us use.
Excellent POC, excellent job!
P.S. please disregard all the securityfocus spam and porn that I sent you… =)
nada mal para un viado como tu ;-P
saludos
Lithyum: Gracias bizexual xD pero este es el bug viejo, era el otro el que tenias que ver.
Disable filtering? Wouldn’t simply reviewing your filters work to remove any evil ones? Or am I missing something?
Michael: There seems to be some confusion regarding this vulnerability/poc with pdp’s find. This only allowed to use Gmail’s built in option to forward incoming email, pdp’s find used a CSRF on Gmail to inject evil filters. According to what I read, David Airey’s account was attacked by using CSRF.
To reverse my attack, you have to disable Forwarding, and for pdp’s you have to remove evil filters from your filters list.
Okay so two different exploits. I am still confused and now concerned as well. Your post is rather unclear about what the second exploit does, how to undo it, or if Google has or hasn’t fixed the issue. Some of us would like to be able to use forwarding again on our accounts!
I think I have resolved my confusion. It isn’t that a user needs to disable forwarding, it is they need to remove the address your attack places in the pop/Forwarding page (unlike the previous attack which worked via filters). Correct?
Many thanks.
Michael
An update on the designer who lost his domain (and got it back again)
http://www.davidairey.co.uk/david-airey-domain-restored.html
Michael
That’s right Michael.
This is the post where pdp posted about the CSRF http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
Pdp just informed about the vuln on his blog, but didn’t release any details until Google fixed the issue.
My girlfriend just told me that she was seeing some “weird messages” on her account, and on inspection it looks like she fell foul of an exploit akin to your second POC quite some time ago – she’s only been getting messages now because the mailserver it’s trying to forward to has been failing.
I didn’t hear about this exploit when it was first found, and I’m reasonably technically-focused; my girlfriend didn’t stand a chance. I’m astonished that Google didn’t send out any kind of alert to their users when they patched the hole, because anyone who’d been exploited would still have the forwarding rule in place even after the patch.