sábado, 10 de septiembre de 2011

CSRF Security bug on Google+

This bug is pseudo-fixed, I reported it to Google two weeks ago, and now the server escapes all the tags, but when you try to publish a site the problem is still there.

On Google+, when you publish a new comment if it contains a link, the Google+ server goes to the site and gets the description, main picture, etc.

All the images are servered using the Google+ proxy for images doing impossible include another thing on the images different than a image (JavaScript code, Strange URLs, etc). And the texts are filtered by a system based on a whitelist that doesn't allow to include html tags, and attributes inside the tags. The problem is that they allow the img tag and the src attribute inside the tags, and only checks if the content on the src attribute or the images are not an image, but it can be an URL, and this is the bug :)

The steps to reproduce this bug are:

    1._ Create a web site, I used my own website.

    2._ Inside the meta description tag include an image tag, like:

               <meta name="description" content='<img src="https://www.google.com/accounts/Logout?service=profiles" />' />

    3._ Go to Google+ and try to link your site. Google+ will read the description and serve it, when this appends the browser will try to load the image from  "https://www.google.com/accounts/Logout?service=profiles" that is the URL to do Sign Out.

You can include the site without the img on the description, publish the comment, and latter change the description, this will be show to all the users.

Using this method you can create a worm (I'm not sure about this), including an image with the URL to share the post, and after this another image with the URL of the Sign Out, and in a pair of hours all the people will be banned from Google+ :)

This is the video with the bug demostration:

No hay comentarios:

Publicar un comentario