Friday, September 28th, 2007

All Your Google Docs are Belong To US…

It’s been a rough week for Google Security…  It seems like everyone had some Google vulnerability they wanted to disclose this week.  You can see some of the various vulns here, here, and here.


Well… the week isn’t over YET!  I’m actually disclosing this vulnerability because Google has already fixed it.  Although I don’t use Google Docs (because I’m a paranoid guy), I know a lot of people who do and I didn’t want to put their docs at risk.  Without  further delay, the details…
This vulnerability allowed any Google Docs user to STEAL ARBITRARY DOCUMENTS from the Google Docs Server.  The basis of the vulnerability stems from a simple Session Management issue.  Once a user has logged into Google Docs and has created a document, they are presented with several options.  Under the “Share” tab, the user has an option to “Email Collaborators”


Google Docs Share Tab


Once the user clicks the “Email Collaborators” link, the following HTTP GET request is made to


GET /Dialogs/EmailDocument?DocID=<ANY DOC ID HERE> HTTP/1.1
<appropriate HTTP headers here>


If you changed the DocID value to another DocID, Google Docs WOULD NOT VALIDATE whether you should have access to that DocID.  The title of the stolen document you requested will be shown (as a javascript variable) in the HTTP 200 OK response that is returned.  Once this step is completed, you can make a POST request to a Google Docs Server Side Script named MiscCommands.  The POST request looks something like this:


POST /MiscCommands HTTP/1.1
<appropriate HTTP headers here>
command=validate_address&docid=<ANY DOCID HERE>&


If you changed the DocID in the POST request, the entire contents of that document would be emailed to the addresses specified in the “addr” parameter!  I tested this against several friends Google Docs and it worked EVERYTIME! 


This issue does stem on being able to predict the DocID for the document that you want to steal.  At first glance, the DocID seems to be a fairly stout “random string”, but a little bit of analysis shows some interesting characteristics.  It seems that the DocID is delimited by an “_” character.  The characters preceding the underscore represent the Google Docs UserID.  Each document uploaded to Google Docs by a particular user will have the same characters up to the underscore.  Now… what about the characters after the underscore?  Well… take a look at what happens when I generate 10 different DocIDs in rapid succession:




Maybe the last set of characters isn’t as “random” as we thought……  Throw in some DocID enumeration (which exists) and we may be on to something here…       I’ve seen Session Management issues like this in MANY of the web applications I’ve assessed.  If your hired gun (webapp pentester) looks at you funny when you ask if they are testing for Session Management issues, FIND A NEW ONE!  There isn’t a web app vulnerability scanner on the market that can detect this and Web App firewalls will not prevent this either!  It takes an actual brain and some experience to find these types of issues!                 
In closing, I would like to give a shout to the Google Security Team.  If you’ve ever dealt with the Google Security Team, you know that they take security seriously and they move fast…. VERY FAST.  After giving them the details for a couple of Google vulnerabilities, it took Google ONE DAY to fix the issues and to deploy the fixes worldwide… Kudos to Chris and the GST. 

Posted by xssniper | Filed in Security, Web Application Security

  • Kishor

    Good stuff!

  • Nathan McFeters

    Whoa whoa whoa, WE use AppScan, we don’t need consultants! Hahaha. Nothing against WebInspect, AppScan, Fortify, any of them. They are great tools, but they are simply that tools. A machine will never be able to replace the thinking, feeling human mind when it comes to this kind of testing. An application can’t purchase a TV for -$1,000.00 and know that if it get’s credited back to their credit card it’s a bad thing.

    I’ve worked with Billy a lot over the last two years, this is just another of the many examples we’ve provided during that time that show you cannot replace the value of a good app security tester.

  • sirdarckcat

    muahaha, now I’m part of the Google’s Dark Week

    This is a historic event hehe


  • ibz

    kudos to the Gst least theyre fast at patching vulnerabilities…unlike microcrap

  • Pingback: Zero Day mobile edition

  • Pingback: Zero Day mobile edition

  • Pingback: Google Health « NonaTheNinja

  • Pingback: yahoo on vanindita domain name » » Google Mashups Vulnerability

  • Tim Acheson

    Twitter’s internal systems have just been hacked into, along with the accounts of Twitter users (including celebrities):

    The initial point of entry wasn’t a gap in Twitter’s security. The hacker(s) gained access through a Google Apps account. The worry with a Google account is, it’s web-based and therefore only as secure as the rest of the Internet. If yuor Google account is compromised and you use Google Docs in a serious commercial setting, your Twitter account will be the least of your worries.