I recently discovered a cross-site scripting vulnerability from Google Spreadsheets (or to be more specific, I extended the idea from fsteff’s discovery. It has been fixed now)

Then I started thinking: What exactly could one do with this? You have access to user’s cookies under google.com. At first, I was thinking of Google checkout, but that requires you to authenticate the purchases. But you can get the details from Google account page (name, address etc.) including your other email addresses. By itself, this isn’t too scary. However: You also get access to GMail.

So hacker gets access to your mail (I don’t think creating some PHP/python/whatever script to access the webmail portion would be too hard). Naturally they also get access to all emails that might include your password. Oh yeah, and they might also scan your email for your CC number: They got the ending digits from your Google account page as well as your address.

Next step? Figuring out the password reset page (or just try the passwords in emails) for your other email addresses as you might use Gmail for those as “secondary email". Reset the password and grab the interesting stuff from there as well.

Next step? Try password reset on other interesting sites (Facebook, web shops etc.) with the email addresses they obtained and then use them as they see fit. They could, for example, use social media sites (and Gtalk) to further the spread of the malicious URL

But there is still more: Google docs. I’m not sure how popular they are currently, but the code could just grab them and analyze later if there is anything noteworthy (SSNs etc.)

So, what should be done to migrate the risk even a bit? One possibility could be that all subdomains set some unique cookie which would be required in order to access content there.

1 comment

Comments:

Comment from: Sim [Visitor] · http://simindiana.com/

Yes, a lot of people simply don't fully understand the security risks we face whenever we connect to the internet. I was also reading about how if you go to a place that offers WiFi, most of the time you are not secure and people with a certain type of software can see access any website you login to.

Permalink 11/24/09 @ 11:10

Leave a comment:

Name:

Email:

Your email address will not be displayed on this site.

Site/Url:

Your URL will be displayed.

Comment text:

Allowed XHTML tags: <p, ul, ol, li, dl, dt, dd, address, blockquote, ins, del, span, bdo, br, em, strong, dfn, code, samp, kdb, var, cite, abbr, acronym, q, sub, sup, tt, i, b, big, small>

Options:

Auto-BR (Line breaks become <br />)
Remember me (Set cookies for name, email and url)
Allow message form (Allow users to contact you through a message form (your email will NOT be displayed.))

You can just use your OpenID to provide your name, e-mail and url.

OpenID:

Pingbacks:

No Pingbacks for this post yet...