iGoogle is a service of Google. Its features include the capability to add web feeds a personalized homepage. Google also allows all users to create a special gadget.
- Write crafted gadget
- Submit crafted gadget
- Share it
- Exploit it !
Then, we go …
1. Write crafted gadget
I’ve get the “Google News” gadget by downloading the following XML file:
and added my <script> at the end like this :
<script>alert(/XSS by @MaKyOtOx/);</script>
<div id=settings_mask onclick="return false;"></div>
2. Submit crafted gadget
I’ve uploaded my xml here: http://www.makyoto.fr/xss/poc.xml
Then, once I’ve customized my gadget, I’ve submitted it here: http://www.google.com/ig/submit
No error was found in the crafted XML file, so it’s OK, my poc.xml is ready to be used as a gadget ^^
3. Share it
Easy to share with friends this gadget using the official sharing features. The following links can be sent to the victim:
If you choose to add my gadget, a widget will be now present in the iGoogle dashboard.
4. Exploit it !
You are bad guys …
Google Security Team answered me “the domain in which the feature is hosted – gmodules.com – is specifically meant as a compartmentalized « sandbox » for various types of potentially unsafe, user-controlled content. This domain is isolated from any sensitive content due to the same-origin policy.”
Yes, they’re right because I cannot access to user auth cookies, but I can render and script what I want in the gadget … And, what if an attacker can access to popular gadgets XML files ?
Nevertheless I continue to believe that there is vulnerability because the XML file isn’t sufficiently sanitized before being processed.
Tweets are welcome @MaKyOtOx and @devquotes