Friday, September 28th, 2007

All Your Google Docs are Belong To US…

It’s been a rough week for Google Security…  It seems like everyone had some Google vulnerability they wanted to disclose this week.  You can see some of the various vulns here, here, and here.

   

Well… the week isn’t over YET!  I’m actually disclosing this vulnerability because Google has already fixed it.  Although I don’t use Google Docs (because I’m a paranoid guy), I know a lot of people who do and I didn’t want to put their docs at risk.  Without  further delay, the details…
 
This vulnerability allowed any Google Docs user to STEAL ARBITRARY DOCUMENTS from the Google Docs Server.  The basis of the vulnerability stems from a simple Session Management issue.  Once a user has logged into Google Docs and has created a document, they are presented with several options.  Under the “Share” tab, the user has an option to “Email Collaborators”

     

Google Docs Share Tab

   

Once the user clicks the “Email Collaborators” link, the following HTTP GET request is made to docs.google.com:

   

GET /Dialogs/EmailDocument?DocID=<ANY DOC ID HERE> HTTP/1.1
<appropriate HTTP headers here>

    

If you changed the DocID value to another DocID, Google Docs WOULD NOT VALIDATE whether you should have access to that DocID.  The title of the stolen document you requested will be shown (as a javascript variable) in the HTTP 200 OK response that is returned.  Once this step is completed, you can make a POST request to a Google Docs Server Side Script named MiscCommands.  The POST request looks something like this:

   

POST /MiscCommands HTTP/1.1
<appropriate HTTP headers here>
 
command=validate_address&docid=<ANY DOCID HERE>&addr=gmail%40gmail.com&finis=true&POST_TOKEN=POSTTOKENVALUE

    

If you changed the DocID in the POST request, the entire contents of that document would be emailed to the addresses specified in the “addr” parameter!  I tested this against several friends Google Docs and it worked EVERYTIME! 

   

This issue does stem on being able to predict the DocID for the document that you want to steal.  At first glance, the DocID seems to be a fairly stout “random string”, but a little bit of analysis shows some interesting characteristics.  It seems that the DocID is delimited by an “_” character.  The characters preceding the underscore represent the Google Docs UserID.  Each document uploaded to Google Docs by a particular user will have the same characters up to the underscore.  Now… what about the characters after the underscore?  Well… take a look at what happens when I generate 10 different DocIDs in rapid succession:

    

mydocsid_14ggbd48
mydocsid_15gt54pt
mydocsid_16c44jws
mydocsid_17cnnfw8
mydocsid_18ggzpm7
mydocsid_19dczf6g
mydocsid_20c8h7nx
mydocsid_21czqc3h
mydocsid_22d48w8j
mydocsid_23f4hk9b
mydocsid_24gdwfzk

   

Maybe the last set of characters isn’t as “random” as we thought……  Throw in some DocID enumeration (which exists) and we may be on to something here…       I’ve seen Session Management issues like this in MANY of the web applications I’ve assessed.  If your hired gun (webapp pentester) looks at you funny when you ask if they are testing for Session Management issues, FIND A NEW ONE!  There isn’t a web app vulnerability scanner on the market that can detect this and Web App firewalls will not prevent this either!  It takes an actual brain and some experience to find these types of issues!                 
       
In closing, I would like to give a shout to the Google Security Team.  If you’ve ever dealt with the Google Security Team, you know that they take security seriously and they move fast…. VERY FAST.  After giving them the details for a couple of Google vulnerabilities, it took Google ONE DAY to fix the issues and to deploy the fixes worldwide… Kudos to Chris and the GST. 

Posted by xssniper | Filed in Security, Web Application Security


9 Responses to “All Your Google Docs are Belong To US…”

  1. September 28th, 2007 at 7:59 am

    Kishor said:

    Good stuff!

  2. September 28th, 2007 at 9:02 am

    Nathan McFeters said:

    Whoa whoa whoa, WE use AppScan, we don’t need consultants! Hahaha. Nothing against WebInspect, AppScan, Fortify, any of them. They are great tools, but they are simply that tools. A machine will never be able to replace the thinking, feeling human mind when it comes to this kind of testing. An application can’t purchase a TV for -$1,000.00 and know that if it get’s credited back to their credit card it’s a bad thing.

    I’ve worked with Billy a lot over the last two years, this is just another of the many examples we’ve provided during that time that show you cannot replace the value of a good app security tester.

  3. September 28th, 2007 at 10:48 am

    sirdarckcat said:

    muahaha, now I’m part of the Google’s Dark Week

    http://sirdarckcat.blogspot.com/2007/09/google-mashups-vulnerability.html

    This is a historic event hehe

    Greetz!!

  4. September 29th, 2007 at 1:27 pm

    ibz said:

    kudos to the Gst team..at least theyre fast at patching vulnerabilities…unlike microcrap

  5. March 18th, 2008 at 11:06 pm

    Zero Day mobile edition said:

    [...] This reminds me a lot of the work that Billy Rios has helped Google out with, as referenced here, here, and here. In these examples arbitrary user’s documents could be stolen from the Google Docs [...]

  6. May 22nd, 2008 at 9:03 am

    Zero Day mobile edition said:

    [...] This means that some of the more interesting attacks pulled off on Google applications, see Billy Rios and my previous work on Google Docs, get’s only as much coverage as the security researcher [...]

  7. May 23rd, 2008 at 8:05 am

    Google Health « NonaTheNinja said:

    [...] on the article, mentioning several past vulnerabilities: ownership of content issues, Google Docs theft, a cross-domain hole, Google XSS, and a Google Picasa protocol handler issue leading to the theft [...]

  8. February 27th, 2009 at 12:37 pm

    yahoo on vanindita domain name » » Google Mashups Vulnerability said:

    [...] I wanted to be part of this hell of a week (Google’s Dark [...]

  9. July 16th, 2009 at 8:35 am

    Tim Acheson said:

    Twitter’s internal systems have just been hacked into, along with the accounts of Twitter users (including celebrities):

    http://www.timacheson.com/Blog/2009/jul/twitter_hacked_via_google_apps

    The initial point of entry wasn’t a gap in Twitter’s security. The hacker(s) gained access through a Google Apps account. The worry with a Google account is, it’s web-based and therefore only as secure as the rest of the Internet. If yuor Google account is compromised and you use Google Docs in a serious commercial setting, your Twitter account will be the least of your worries.



Please leave a Comment