A Bug that allows hackers to see your private documents in google docs.
The feedback tool of Google, which is incorporated with a range of their services, has a bug that could be easily exploited by attackers to steal screenshots of sensitive data content only by embedding them in a malicious website.
This bug was discovered by security researcher Sreeram KL and was rewarded as part of Google's Vulnerability Reward Program. Most Google products, including Google docs, come with a "Sender feedback" option that even allows to include a screenshot - to highlight specific issues along with user feedback.
The feedback feature is deployed on Google's main website instead of duplicating the function in its services/products. With the help of an iframe element that loads the pop-up's content from "feedback. Google user content. com," it is integrated into other domains.
RGB values of each pixel of the screenshot, including the Google Docs window, are transmitted to www.google.com (parent domain), which then redirects those RGB values to the feedback's domain. Thus it constructs the image and sends it back in Base64 encoded format.
The attacker was able to modify the frame by exploiting the bug found in how these messages passed out to "feedback.googleusercontent.com." The attacker would modify the frame to a random external website, which helps them to steal and hijack those screenshots meant to be uploaded to the server of Google. Sreeram was successful in identifying this bug.
The reason behind this flaw is the absence of an X-Frame-Options header in the Google Docs domain. Thus, it made way for the attacker to change the message's target origin, thereby enabling the cross-origin communication between the frame contained in the page and the page itself.
An exploiter could easily capture the URL of the uploaded screenshot with the "Send feedback" button to filtrate it to a malicious site. The attacker could easily capture the URL by embedding a Google Docs file in an iFrame on a rogue website and then redirecting the contents to a domain of choice by hijacking the pop-up feedback frame.
Mozilla documentation states as follows- "Always specify an exact target origin, not *, when you use postMessage to send data to other windows. An affected site can change the location of the window without your knowledge, and therefore it can intercept the data sent using postMessage."