Hacker with XSS on Google's internal network

A young hacker from the Czech Republic discovered a security hole in one of the applications of Google.

If it was exploited by someone with malicious intent the mistake could allow to steal cookies from Google employees for internal applications and to seize their accounts. Extremely compelling e-fishing attempts could then be launched to give them access to many other parts of Google's internal network.

The security loophole was discovered by researcher Thomas Orlita in February 2019. It was fixed in mid-April, but has only just been published.

The vulnerability was a cross-site one (XSS), and was found on Google's invoicing portal, a public domain that Google redirects business users of the platform to submit invoices.

Most cross-site scripting (XSS) vulnerabilities are not considered as dangerous but there are cases that can lead to very serious problems.

One of these cases was the discovery of Orlita. The researcher said a malicious user could upload their own in the Google Invoice Submission Portal, through Invoke.hacker

Using a proxy the attacker could prevent the Google Invoice Submission Portal from changing the PDF document (after the of the form submission and validation process) and modify it to HTML, with a malicious XSS payload.

The malicious document would be stored in Google's billing backend and wait for someone to open it.

"XSS runs on a googleplex.com subdomain and while the employee is logged in, the attacker can access the subdomain control panel from where invoices can be viewed and managed," Orlita told ZDNet.

"Depending on how cookies are configured on googleplex.com, it may be possible to access other internal applications hosted on this domain," the researcher added.

So since most of Google's internal applications are hosted on the googleplex.com domain, this gives attackers a lot of possibilities.

Of course, like most things XSS, the vulnerability of the bug depends on the skill level of the hacker, and his ability to perform more complex .

For more technical details you can read Orlita publication.

_________________

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).