Google rewarded a security researcher with 5.000 dollar for discovering and submitting a cross-site scripting vulnerability to the management console Google Apps which could give an attacker full control over a Google account.
Many businesses associate their domains with Google services, allowing them access to Gmail, and working with Google Apps.
Blizzard Entertainment's security technician, Brett Buerhaus, discovered an XSS format that could be used when connecting to the management console.
The log-in process requires the user's credentials, displaying at least two Google accounts. In the Google account switch form after selecting one of the accounts, a JavaScript is run to redirect the browser to the correct σελίδα.
“The URL used in this JavaScript is provided to the user to continue the request parameter. The parameter that continues the request is a fairly common variable request in the Google login stream. But this is the only page I could find that did not validate the URL. The feature allows Cross-site Scripting attacks to be used using "javascript:" as part of the URL and will be executed when the browser redirects, "says Buerhaus. in one publication.
Η εκμετάλλευση της συγκεκριμένης ευπάθειας θα μπορούσε να δώσει στον επιτιθέμενο τη δυνατότητα δημιουργίας νέων χρηστών με οποιοδήποτε επίπεδο δικαιωμάτων, συμπεριλαμβανομένου και του σούπερ διαχειριστή, την αλλαγή των ρυθμίσεων ασφαλείας για τους χρήστες ή τα domains, την αλλαγή των ρυθμίσεων του domain, για να προωθεί τα εισερχόμενα μηνύματα ηλεκτρονικού ταχυδρομείου σε διαφορετικό domain.
Additionally, the attacker could take control of different email accounts with the password reset method access. Θα μπορούσε να απενεργοποιήσει τη mode control ταυτότητας δύο παραγόντων, αποδυναμώνοντας εντελώς την ασφάλεια στον στοχευμένο λογαριασμό.
The researcher published a PoC to prove what he claims. Google has already corrected the vulnerability.