Wednesday, November 9, 2011

Google eBookstore content extraction


Two months ago I discovered UI redressing vulnerability in Google eBookstore. This has been reported to Google and has been quickly fixed. Following is a description of the vulnerability:

tl;drfake captcha on Google eBookstore + how to deal with dynamic line numbers.

Some of the pages at http://books.google.com containing user private data did not use frame-busting X-Frame-Options header. It was possible to create UI redressing attack to trick user into extracting that data into malicious webpage.

Extracted data included:
  • Google user name (name / surname) of logged in user
  • Google email of logged in user
  • Google Books User ID (uid)
  • Anti CSRF tokens (sig) used on other pages to add / delete books
  • possibly other data that might aid in further attacks on Google books or other Google services
Affected browsers: Firefox (framed view-source: needs to be displayed)

Demo



In the demo user (with empty bookshelf) was presented with a fake security code entry form. This might be disguised as an application registration form, fake captcha etc. An iframe with view-source:http://books.google.com/ebooks is displayed instead of the security code input field. The security code is actually a part of the http://books.google.com/ebooks page source (last line).

Dynamic line numbers

The last line number could be constant here (32), but I encountered accounts that have rendered HTML with different amount of lines.
Therefore the lines are slowly scrolling from 35 down and user is asked to pause the scrolling process as soon as he sees content (last line will be displayed then).

Here's the code for that:

    var height = Jacksploit.line_height();
    
    // i need to blindly determine the last line of the html source. Safe bet would be 32,
    // but to make it handle a different value I scroll upwards and depend on user 
    // to pause the scrolling
    
    function move() {
        var f = $("#one").contents()[0].getElementById('inner');
     f.style.top = parseInt(f.style.top,10)+height;
    }
    
    $('#one').load(function() { $("#register").show(); }).attr('src', url);

 var interval = setInterval(move, 2000);

 $("#pause").click(function() {
  clearInterval(interval);
 }); 
By tricking the user into copying (triple click, ctrl-c) and pasting the "security code" into a real form field below attacker gets access to private data (whole last line of HTML source is copied). To demonstrate this, some user data is extracted and echoed back to user, tokens are also reused to add "Alice in Wonderland" into user's bookshelf.

Note: This exploit uses Fake captcha content extraction technique that requires clipboard usage. There are other techniques for the same purpose like double drag & drop that have different requirements for triggering the exploit, but it's still the same vulnerability underneath: no X-Frame-Options header on pages containing user data. Developers - please use the header instead of trying to framebust in Javascript.

Reporting this vulnerability earned me an honorable mention in Google Security Hall of Fame.

1 comment:

Mario Gomes said...

Nice post!
Some pages of Facebook also have this vulnerability, especially in the pages of uploading files.