Home / vulnerabilities Google Docs CSRF / Clickjacking
Posted on 12 March 2013
Source : packetstormsecurity.org Link
CSRF & Clickjacking : Google Document, Drawing, Forms, Spreadsheet,
Presentation
Attacker can create Google Document, Drawing, Forms, Spreadsheet,
Presentation in the Victim's Google Drive and get a Can get Permission to
that Document. In Simple terms the created document will be shared with the
attacker.
*Vulnerable Domain:*
https://docs.google.com
*Google Services Vulnerable this attack: *
https://docs.google.com/drawings
https://docs.google.com/forms
https://docs.google.com/spreadsheet
https://docs.google.com/presentation
https://docs.google.com/document
*Tested Browser Versions *
*
*
Attacker Browser: Internet Explorer 9
Victim Browser : Google Chrome Version 25.0.1364.152 m Updated
POC Video
http://www.youtube.com/watch?v=OJaPIg_sMek
*Reference*
*
*
http://thehackernews.com/2013/03/hacking-google-users-with-googles.html
*
*
*
*
*Steps*:
- Attacker will send a mail to the victim that contains the Malicious URL.
- Victim will Click and Interact with it.
- Attacker will be successful in creating a document in Victim's Google
Drive with the Edit Permissions
Regard's
*Christy Philip Mathew*
Information Security Researcher
Mob: +91-9555223888
