Vulnerability In Google Docs Could Allow Hijacking Feedback Screenshots

A serious vulnerability affected Google Docs that could allow anyone to steal screenshots of users’ documents. Google fixed the vulnerability later.

Google Docs Vulnerability

A security researcher Sreeram KL has shared insights to his findings regarding a Google Docs vulnerability in a blog post.

Briefly, he found the vulnerability with the “Send feedback” feature of Google services also available with Google Docs. This feature allows a user to share the details of an issue with Google alongside the screenshot. This lets Google have a better understanding of the exact matter.

While feature is helpful for Google users, exploiting it could also threaten the security of Google Docs users.

The researcher noticed that Google implements this feedback feature on all its services as an iframe element. Whereas the main feedback feature exists on Google’s main website (google.com). When triggered, the iframe loads a popup with content from “feedback.googleusercontent.com”.

As the researcher explained,

Google docs sends RGB values of its every pixels to the main iframe www.google.com via postmessage (as far as I have interpreted). Which redirect those RGB values to its iframe feedback.googleusercontent.com via postmessage. Which then renders an image from those pixels and sends back its base64 encoded data-URI to the main Iframe.
Once this process is finished, we have to write a description for the feedback and on clicking send the description with the image (data-uri) is sent to https://www.google.com (Submit Feedback) via postmessage.

That’s where the bug existed.

The Exploit

The researcher observed that the iframe lacked a check on the destination when sending messages due to the absence of the X-Frame header. Thus, it became possible for an adversary to replace the destination with any malicious website and hijack screenshots.

The final postmessage on submitting feedback was configured like, windowRef.postmessage(“<Data>”,”*”); as there is no domain check the browser happily sent the data to my domain, which I was able to capture and hijack the screenshot.

The following video demonstrates the exploit.

Google Patched The Flaw

Upon discovering the bug, the researchers reached out to Google via their Vulnerability Reward Program (VRP).

In turn, Google patched the flaw and also awarded a $3133.70 bounty.

While the researcher discovered the flaw in July 2020, he has disclosed the details only recently.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients