By: Billy (BK) Rios (billy dot rios -at- gmail)
You must be logged into Google for this PoC to work.
If you are not logged in, the Flash applet will simply be blank
Firefox users may have to wait 10 seconds for thier contact lists to appear
The whole concept of "Taking Ownership" of someone else's content can be VERY dangerous. The reason ownership of content is so scary is because the ENTIRE trust model for the World Wide Web is basically built on ONE thing... the DOMAIN NAME.
Google Documents basically allows you to upload your documents (aka content) to a Google server. Once you've uploaded the document, Google has essentially taken ownership of the document. There are ways to minimize the risks associated with taking ownership of content and it seems that Google has taken some measures to sanitize for XSS... but it seems that their focus on XSS may have caused them to miss a different type of cross domain exposure.
Flash Players (>220.127.116.11) support a method for making cross domain requests. This method allows a user (or attacker) to specify where a crossdomain.xml file is located on a particular server. Essentially, if the flash player finds this crossdomain file (and the file is properly formatted) the flash player will allow cross domain requests the domain that "owns" the crossdomain policy file, in this case... Google.com. The PoC just displays your contact list, but I have full access to the Google.com domain, so the sky is the limit (aka I can read all your email too)... I left out one key step needed to pull this off and the source for the Flash applet will not be published at this time in order to slow the kiddies.
If anyone from Google Security comes across this page, send me an email and we can go over the missing step as well as the Flash Source... I'd also like to talk to you about another hole in Google Docs that allows me to ACCESS ANY ARBITRARY USERS DOCUMENTS.
Proof of Concept below