Comments on: Google Docs puts Google Users at Risk

By: Google Health « NonaTheNinja

Google Health « NonaTheNinja — Fri, 23 May 2008 14:02:18 +0000

[...] commented on the article, mentioning several past vulnerabilities: ownership of content issues, Google Docs theft, a cross-domain hole, Google XSS, and a Google Picasa protocol handler issue leading to [...]

By: Google Health dissed by RSnake | My Blog Posts

Google Health dissed by RSnake | My Blog Posts — Fri, 23 May 2008 12:49:09 +0000

By: Zero Day mobile edition

Zero Day mobile edition — Thu, 22 May 2008 18:41:14 +0000

[...] of the more interesting attacks pulled off on Google applications, see Billy Rios and my previous work on Google Docs, get’s only as much coverage as the security researcher who did or did not disclose the [...]

By: Telamoon

Telamoon — Fri, 28 Sep 2007 19:49:07 +0000

Nice post xssniper. Quite an eyeopener. I’m a firm believer in the SAAS model and I’ve just started using Googledocs at our company. I’ll be folowing this with special interest. Anyone know if these issues also known to effect the MS Office Live env or does MS do it different?

By: xssniper

xssniper — Wed, 26 Sep 2007 16:16:49 +0000

@Rosario – Ahhh… if only it were so easy. Causing the browser to display sensitive content and pulling that sensitive content to an attacker controlled domain are two totally different things my friend.

The second item is left as an exercise for the reader,but all the heavy lifting is already done for you…

By: Rosario Valotta

Rosario Valotta — Wed, 26 Sep 2007 15:47:31 +0000

Sad September for Google Security team…
Looking at your PoC I’ve noticed that a more simple CSRF can be used to steal contacts as the remote resourse is not token-protected:
http://docs.google.com/contacts/data/contacts?thumb=true&groups=true&show=ALL&enums=true&psort=Name&max=900
(e.g using )
More, Adobe livedoc states that loading the crossdomain file from docs.google.com your application can access “only” to that domain…how can you access resource from mail.google.com domain? Is it the missing step?

By: Nathan McFeters

Nathan McFeters — Wed, 26 Sep 2007 14:41:20 +0000

The day that the implement crossdomain.xml in JavaScript will be a very very sad day… at least right now I can install a browser that doesn’t support flash… I mean, the whole web requires JS.

By: xssniper

xssniper — Wed, 26 Sep 2007 14:40:16 +0000

@MartinJ – Still works for me at this time. I haven’t tested it with Safari, but it should still work as I’m obeying all of Flash’s cross domain rules. It seems that pulling cross domain content with a Flash Object loaded by Firefox is a little buggy. Some instances of Firefox require a refresh in order for the list to appear (which I built into the page). Is the page refreshing after 10 seconds in your browser?

By: MartinJ

MartinJ — Wed, 26 Sep 2007 12:31:53 +0000

Has this been fixed? The PoC does not work for me (tested on Firefox and Safari)

By: .mario

.mario — Wed, 26 Sep 2007 12:06:46 +0000

“On another note, the W3C people are thinking of implementing the crossdomain.xml concept for browser JS as well. To me, this is just plain bad idea!!!”

Sweet Jesus – nooo… I didn’t know that but dreamt about it.

Nice find Billy AND/OR Nate!