Hosting and sharing documents and files in the cloud has become very common among users. A way also to create backup copies and have everything available anywhere. However, as we can imagine, this also has its security issues. In this article we echo a bug that affects Google Docs and that has been able to expose users’ documents.
A bug in Google Docs exposes documents
Google Docs is one of the most used online tools when it comes to creating text documents and being able to share them with other users. It is very useful to work in a group, for example, as well as to be able to work from different devices and have everything updated.
A security researcher, Sreeram KL , discovered a bug a few months ago that affected this Google service. It specifically affected the comment tool that is built into all Docs services. This could be exploited by an attacker and steal screenshots of confidential documents simply by embedding them on a malicious website.
Keep in mind that many of Google’s products, such as Google Docs, have an option to “Send comments” or “Help Docs improve”. This allows users to submit feedback along with an option to include an automatically loaded screenshot to highlight specific issues that may exist.
This functionality is integrated into the different services from the main domain through an iframe element that loads the content of the pop-up window from feedback.googleusercontent.com.
This also means that whenever a screenshot of the Google Docs window is included, rendering the image requires transmitting the RGB values of each pixel to the main domain, which is www.google.com. Later those RGB values are redirected to the domain of the comments that builds the image and sends it back in Base64 encoded format.
Allows you to steal screenshots
The security researcher identified an error in the way these messages were transmitted to feedback.googleusercontent.com. This flaw could allow an attacker to arbitrarily modify the structure of an external website and thus steal and hijack Google Docs screenshots that were intended to be uploaded to Google’s servers.
This problem is caused by a missing X-Frame-Options header in the Google Docs domain. This allows to change the destination source of the message and exploit. User interaction would be required as it requires clicking the “Send Feedback” button, although an exploit could easily exploit this vulnerability and capture the URL of the uploaded screenshot and thus filter it to a malicious website.
Ultimately, this failure has been able to expose user documents. It is important that whenever we use these types of services we do so safely. We leave you a tutorial where we give tips for using the secure cloud. Some recommendations that can prevent our data from being stolen.