A bug in Google Docs allowed viewing other people’s private documents

Google Docs bug
Written by Emma Davis

In the summer of 2020, researcher Sreeram K.L. earned $ 3133.70 as a bug bounty after finding a bug in Google Docs.

The point is that a vulnerability in Google’s feedback tool could be used to steal sensitive information.

I was able to obtain Google Docs screenshot of any document exploiting postmessage misconfiguration and a browser behavior.Sreeram K.L. reported.

Many Google products (including Google Docs) are equipped with Send feedback and Help Docs improve features, which allow users to submit feedback, as well as attach screenshots to demonstrate a specific issue they encountered.

Google Docs bug
These features are not duplicated across services, instead the feedback is deployed around the main Google site (google.com) and integrated elsewhere through an iframe that loads the popup content from feedback.googleusercontent.com.

When you attach a screenshot of a Google Docs window, rendering an image requires passing the RGB values of each pixel to google.com, which then redirects those values to the feedback domain, which ultimately creates the image and sends it back as Base64.Explains Sreeram K.L.

The researcher found a bug in the way these messages are sent to feedback.googleusercontent.com.
The bug made it possible to make changes to the frame, directing content to an arbitrary external site, steal or intercept screenshots intended for uploading to Google servers. The problem was related to the missing X-Frame-Options header in the Google Docs domain.

A demonstration of the attack can be seen below.

The attack required some interaction with the user (for example, clicking the “Send feedback” button), then the exploit could exploit the vulnerability, intercept the URL of the uploaded screenshot and transmit it to a malicious site.

The expert says the attack could have been carried out by embedding a Google Docs file in an iFrame on a malicious site, then intercepting the feedback pop-up and redirecting its contents to the attacker’s chosen domain.

Let me remind you the Thousands of Google Calendars Disclose Confidential Information.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply