Google has patched a vulnerability in its feedback tool used in its services. The vulnerability made it possible to steal screenshots of confidential documents from the Google Docs service by simply embedding them into a malicious website.
The vulnerability was discovered on July 9 by security researcher Sreeram KL, for which he received $ 3,133 from Google as part of a bounty program for reporting vulnerabilities.
Many Google services, including Google Docs, have a feedback option that allows users to submit feedback, bug reports, and suggestions for improving the service to the company. Users have the option to include screenshots that load automatically in their posts to illustrate the problem.
However, instead of duplicating functionality across all services, Google implemented it on its main site (www [.] Google.com) and integrated it with other domains via an iframe element that loads pop-up content from feedback.googleusercontent.com. This means that whenever a screenshot is included in the Google Docs window, rendering the image requires passing the RGB values of each pixel to the parent domain (www [.] Google.com), which then redirects those RGB values to the feedback domain, which ultimately generates the image and submits its back in Base64 encoded format.
Security researcher Sreeram KL identified a vulnerability in the way these messages were transmitted to the feedback.googleusercontent.com domain. With its help, an attacker could replace the frame with arbitrary external websites and thus intercept screenshots of Google Docs that were intended to be sent to Google servers.
The vulnerability is caused by the absence of the X-Frame-Options header in the Google Docs domain, which could allow an attacker to modify the target message source and exploit the link between the page and the frame it contains.
Although the attack requires some user action, such as clicking the “Send Feedback” button, an attacker could easily exploit the vulnerability to capture the URL of the uploaded screenshot and move it to a malicious site. This can be achieved by embedding a Google Docs file in an iframe on a fraudulent site and intercepting the feedback popup to redirect its content to the attacker’s controlled domain.