| Filename | Script Execution flaw in Google drive poses security threat |
| Permission | rw-r--r-- |
| Author | Unknown |
| Date and Time | 3/15/2013 |
| Label | Cyber News |
| Action |
Ethical Hacking Institute in Pune
./Arizona Team
Once again Google Security Team Shoot itself in the foot. Ansuman Samantaray, an Indian penetration tester discovered a small, but creative Security flaw in Google drive that poses phishing threat to million of Google users was ignored by Google Security team by replying that,"It is just a mare phishing attempt,not a bug in Google".
According to Ansuman, he reported a JavaScript Script Execution vulnerability in Google Drive Files on 20th December 2012 to Google Security Team and on very next day his finding was rejected by Google to avoid considering him in Google bug bounty hall of fame.
Ability to execute malicious script through Google drive files poses security threats, not just phishing attack, can be extended to malware spreading, etc depends upon .. how much creative the attacker is!
The flaw exist in the way Google Drive preview the documents in the browser. Online preview of the files executing code written in doc files as HTML/JavaScript just by changing the value of a parameter called "export" in the URL.
ie. https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jWXp2N2FvdHBVTTg&export=download .
When a Google user upload or create a file on Google Drive/Docs, then URL to that file having 'export' equals to "download" by default. So that, user should be able to download it only.
But Ansuman found that if an attacker change this "export" parameter to "view", the malicious code written in the document file created by attacker will execute the code on browser.
ie. https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jWXp2N2FvdHBVTTg&export=view
"Any internet user can enter malicious scripts in the application which when sent as an email to a victim user can steal user’s information. Such attacks can be used to launch devastating XSS based attacks." he said
For Demonstration, a file is created on Google Drive Here (with download value) and Here (with view). File include JavaScript code to Prompt Fake password login option to Re-authenticated user to view the Document.
If successfully phished, victim's Password will be stored at a remote location (here) and victim will be again redirected to Google Drive homepage after attack.
This is now the First time, Google security team failed to analyse the possible threat level. Last week, another Google Drive Clickjacking Flaw was refused by Google, that later extends to phishing attack.
www.arizonainfotech.com
CEH CHFI ECSA ENSA CCNA CCNA SECURITY MCITP RHCE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE
./Arizona Team
Once again Google Security Team Shoot itself in the foot. Ansuman Samantaray, an Indian penetration tester discovered a small, but creative Security flaw in Google drive that poses phishing threat to million of Google users was ignored by Google Security team by replying that,"It is just a mare phishing attempt,not a bug in Google".
According to Ansuman, he reported a JavaScript Script Execution vulnerability in Google Drive Files on 20th December 2012 to Google Security Team and on very next day his finding was rejected by Google to avoid considering him in Google bug bounty hall of fame.
Ability to execute malicious script through Google drive files poses security threats, not just phishing attack, can be extended to malware spreading, etc depends upon .. how much creative the attacker is!
The flaw exist in the way Google Drive preview the documents in the browser. Online preview of the files executing code written in doc files as HTML/JavaScript just by changing the value of a parameter called "export" in the URL.
ie. https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jWXp2N2FvdHBVTTg&export=download .
When a Google user upload or create a file on Google Drive/Docs, then URL to that file having 'export' equals to "download" by default. So that, user should be able to download it only.
But Ansuman found that if an attacker change this "export" parameter to "view", the malicious code written in the document file created by attacker will execute the code on browser.
ie. https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jWXp2N2FvdHBVTTg&export=view
"Any internet user can enter malicious scripts in the application which when sent as an email to a victim user can steal user’s information. Such attacks can be used to launch devastating XSS based attacks." he said
For Demonstration, a file is created on Google Drive Here (with download value) and Here (with view). File include JavaScript code to Prompt Fake password login option to Re-authenticated user to view the Document.
If successfully phished, victim's Password will be stored at a remote location (here) and victim will be again redirected to Google Drive homepage after attack.
This is now the First time, Google security team failed to analyse the possible threat level. Last week, another Google Drive Clickjacking Flaw was refused by Google, that later extends to phishing attack.
www.arizonainfotech.com
CEH CHFI ECSA ENSA CCNA CCNA SECURITY MCITP RHCE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE