iGoogle is a service of Google. Its features include the capability to add web feeds a personalized homepage. Google also allows all users to create a special gadget.
- Write crafted gadget
- Submit crafted gadget
- Share it
- Exploit it !
Then, we go …
1. Write crafted gadget
I’ve get the “Google News” gadget by downloading the following XML file:
http://www.gstatic.com/ig/modules/tabnews/kennedy/tabnews.xml
and added my <script> at the end like this :
…
ud=K.getString(x),vd=K.getMsg(x),wd=/\.cn$/.test(location.host);wd||!ud||ud==vd?pd():sd(ud); window.updateCustomEdit=kd;window.saveConfig=td;window.hideSettingsBlock=jd;})()</script>
<script>alert(/XSS by @MaKyOtOx/);</script>
<div id=settings_mask onclick="return false;"></div>
<div id=settings_block>
<div id=settings_content></div>
</div>
</Content></Module>
2. Submit crafted gadget
I’ve uploaded my xml here: http://www.makyoto.fr/xss/poc.xml
Then, once I’ve customized my gadget, I’ve submitted it here: http://www.google.com/ig/submit
No error was found in the crafted XML file, so it’s OK, my poc.xml is ready to be used as a gadget ^^
3. Share it
Easy to share with friends this gadget using the official sharing features. The following links can be sent to the victim:
http://www.google.com/ig/adde?moduleurl=www.makyoto.fr/xss/poc.xml%253C&source=imag
or
http://www.google.com/ig/directory?type=gadgets&url=www.makyoto.fr/xss/poc.xml
If you choose to add my gadget, a widget will be now present in the iGoogle dashboard.
4. Exploit it !
You are bad guys …
Google Security Team answered me “the domain in which the feature is hosted – gmodules.com – is specifically meant as a compartmentalized « sandbox » for various types of potentially unsafe, user-controlled content. This domain is isolated from any sensitive content due to the same-origin policy.”
Yes, they’re right because I cannot access to user auth cookies, but I can render and script what I want in the gadget … And, what if an attacker can access to popular gadgets XML files ?
Nevertheless I continue to believe that there is vulnerability because the XML file isn’t sufficiently sanitized before being processed.
Tweets are welcome @MaKyOtOx and @devquotes
