Wednesday, 14 May 2014

Google Docs “ClickJacking” (Information Disclosure)

(This issue was resolved 3-22-2014 before I finished writing the report, so it must have been reported before me)
https://www.youtube.com/watch?feature=player_embedded&v=kOnbQtHnHRo
POC Video:
tl;dr : Google documents leak full name and e-mail address via ClickJacking the “request permissions” dialog in a private doc.
Details:
infoleak_flow

  1. Victim visits the evil site.
  2. The evil server uses the google docs API to creates a unique document for the visitor.
    1. The document is named with the unique session id of the victim.
    2. The document is set to private.
  3. A URL to the new document is returned to the server.
  4. An iframe is created with the following page from google:google_perms
    1. This page is cropped to only have the “request access button”.
    2. Style is used to make the iframe 100% transparent and always on top of the page.
    3. Javascript is used to make the cropped request access button follow the mouse around the page.The resulting “Click Jack” or UI Redressing would look like:
    4. click_jack_goog
  5. When the user clicks anywhere on the evil page they are actually clicking on the “request access” button. of the google doc.
  6. Once the user clicks on the link the page starts polling with ajax for an update from the server.
  7. Google sends an e-mail, on behalf of the user including full name and e-mail, to the creator of the document (attacker@gmail.com) to request access.
  8. The evil server is running an IMAP client listening for document requests to attacker@gmail.com.
  9. The IMAP client receives the request from the google doc that is named after the value of the session key. The evil server can now tie the user session (from the document requesting title) to the “from: ” name and address in the request. The polling request from step 6 will be updated with the identity of the current user.
Success!!!
click_jack_success

Notes:

Nodejs was used for the server which allowed a simple web server (express) and IMAP client to run in the same container.  This allowed me to inject directly into the user session. Once the e-mail was received.
Check out the POC code at https://github.com/matt-/google_doc_poc

No comments:

Post a Comment