Tuesday, January 8th, 2008
A while back I came across another interesting issue that allowed me to steal an arbitrary Google Doc (assuming I knew the DocID). This issue has already been fixed by Google, but the details are pretty interesting so I thought I would share! Now, before I get into the gory details, I’d like to mention two things about Google:
- I know some people have had issues with Google’s Security Team (GST), but I’ve always had pleasant experiences with them. GST moves with LIGHTING speed and they are usually great about keeping in me apprised of the status of various issues I’ve reported to them.
- In addition to fixing this particular exposure, GST has also increased the entropy of the DocID making sploits based on DocID guessing totally impractical. It’s a great example of going the extra step to help protect users…
Now… the gory details… First, I went to WordPress.com and created a new blog (there were other ways to pull this off, but this was the easiest way). Once the blog was created, I logged into Google Docs with my account, created a document and selected the “publish this document” option. Once in the “publish” menu, I selected the “Blog Site Settings” option. This option basically allows a Google Docs user to create a document in Google Docs and POST it directly to thier blog! I entered my blog provider, blog username, and blog password into the blog settings page. The page is shown below:
Once my blog settings were properly entered, I selected the “Publish This Document To Your Blog” option. The POST request made by my browser looked something like this:
POST /MiscCommands HTTP/1.1
When this feature is selected, it appears that the Google Docs server makes a request to the xmlrpc.php file on the blog server (WordPress.com), passing the credentials I gave in the blog settings. When the blog server indicates that the blog creds were valid, the Google Docs server sends the contents of the Google Doc to the blog server. hmmmm… that docID value looks reeeallly interesting… I changed the docID in the POST request from the docID of my newly created document to the docID of the “Article For Oak Tree View” (the document used by Google to Demo Google Docs).
After changing the docID and sending the POST request, I logged into my WordPress Blog and LO AND BEHOLD… my first blog POST was the Oak Tree Newsletter!
I tried it on some friends documents with the same result and then contacted the GST….