Google rewarded a security researcher with 5.000 dollar for discovering and submitting a cross-site scripting vulnerability to the management console Google Apps which could give an attacker full control over a Google account.
Many businesses connect their domains to Google services, which allows them access to Gmail, and cooperation with Google Apps.
Blizzard's security engineer Entertainment, Brett Buerhaus discovered an XSS pattern that could be used when logging into the admin console.
The log-in process requires the credentials of the user by displaying at least two Google accounts. In the Google Account Switching Form after choosing one of the accounts, JavaScript runs to redirect the browser to the correct page.
“The URL used in this JavaScript is provided to the user to continue the request parameter. The parameter that continues the request is a fairly common variable request in the Google login stream. But this is the only page I could find that did not validate the URL. The feature allows Cross-site Scripting attacks to be used using "javascript:" as part of the URL and will be executed when the browser redirects, "says Buerhaus. in one publication.
Exploitation of this vulnerability could allow an attacker to create new users with any level of privileges, including super administrator, change security settings for users or domains, change domain settings, to promote incoming emails post officey on a different domain.
Επιπλέον, ο εισβολέας θα μπορούσε να αναλάβει τον έλεγχο διαφορετικών λογαριασμών ηλεκτρονικού ταχυδρομείου με τη μέθοδο επαναφοράς του κωδικού πρόσβασης. Θα μπορούσε να απενεργοποιήσει τη λειτουργία ελέγχου ταυτότητας δύο factors, completely weakening the security on the targeted account.
The researcher published a PoC to prove what he claims. Google has already corrected the vulnerability.