Google rewarded a researcher better safety with $5.000 for discovering and reporting a vulnerability cross-site scripting in the management console of Google Apps which could give an attacker full control over a Google account.
Many businesses associate their domains with Google services, allowing them access to Gmail, and working with Google Apps.
Blizzard Entertainment's security technician, Brett Buerhaus, discovered an XSS format that could be used when connecting to the management console.
The log-in process requires the credentials of the user by displaying at least two Google accounts. In the Google Account Switching Form after choosing one of the accounts, JavaScript runs to redirect the browser to the correct page.
“The URL used in this JavaScript is provided to the user to continue the request parameter. The parameter that continues the request is a fairly common variable request in the Google login stream. But this is the only page I could find that did not validate the URL. The feature allows Cross-site Scripting attacks to be used using "javascript:" as part of the URL and will be executed when the browser redirects, "says Buerhaus. in one publication.
Η εκμετάλλευση της συγκεκριμένης ευπάθειας θα μπορούσε να δώσει στον επιτιθέμενο τη δυνατότητα creationς νέων χρηστών με οποιοδήποτε επίπεδο δικαιωμάτων, συμπεριλαμβανομένου και του σούπερ διαχειριστή, την αλλαγή των ρυθμίσεων ασφαλείας για τους χρήστες ή τα domains, την αλλαγή των ρυθμίσεων του domain, για να προωθεί τα εισερχόμενα messages email to a different domain.
Additionally, the attacker could take control of different e-mail accounts with the password reset method. It could disable the two-factor authentication feature, completely weakening security in the targeted account.
The researcher published a PoC to prove what he claims. Google has already corrected the vulnerability.