Bug Bounty Hunters Reveal Eight Vulnerabilities in Google Services
Security researchers unveiled eight vulnerabilities in Google services during the Hack in the Box conference in Amsterdam on Thursday -- but they claim to have discovered more than 100 such bugs over the past few months.
The bugs they revealed were found in Google's blog platform Blogger, its Analytics service and in Google Calendar, amongst other services.
The two most interesting once are the bugs found in Calendar and Analytics, said Itzhak Avraham, security researcher and founder of the Tel Aviv-based security firm Zimperium.
Cross-site-scripting (XSS) vulnerabilities are the most common bugs found in Google's services, Avraham and his fellow security researcher Nir Goldshlager said during their Hack in the Box presentation. XSS attacks -- allowing the execution of malicious code from one website or file as if it belonged to another -- are not just about stealing account data, but can also be used for hacking a victim's computer, they said. "Hacking your Gmail is not as interesting as hacking your computer," Avraham added.
"The Calendar bug is one of my favorites because you get the user to execute the bug for you," Avraham said. The researchers found a way to get a Calender user to trigger a XSS attack by using the application's sharing option. This was done by sharing the attackers' own calendar items with the victim more than five times, effectively spamming the user and encouraging him to delete the unwanted shared calendar items. After the user deleted five shared items an error message would pop-up saying the selected calendar item would not load, after which a stored XSS-attack would be triggered, allowing the attackers to hack into the victim's computer.
Avraham also highlighted the Analytics bug. According to him it is easy to see which sites use Analytics because the service's code can be spotted in the source of a Web page. Analytics allowed attackers to send an XSS link to an administrator of a targeted Website by sending a URL. They were able to do that because In-Page Analytics, a feature that allows users to view data superimposed on their website within Analytics, accepts incoming requests.
The researchers found two ways to exploit the vulnerability. One of them involved the attacker sharing his own In-Page Analytics profile with the victim. The victim then would receive a message that an Analytics profile was shared with him, enticing him to check who shared it, causing the attacker's XSS infected Web site to load into the In-Page viewer, executing the attack, allowing the attackers to hack the victims computer.
Avraham and Goldshlager called themselves bug hunters, hackers that actively look for bugs in software from vendors that pay a bounty for reports of vulnerabilities. Companies including Google, Facebook and Mozilla typically pay between $500 and $3,000 for bugs discovered in their software, the researchers said. According to them, the best way to find bugs in big services like that is keeping track of what the companies do, for instance by tracking acquisitions. Newly added services are not always as well protected, Avraham said.
The researchers also presented bugs they found in Google's Feedburner, Knol, FriendConnect and Picnik services, and in the Google Affiliate Network.
The bug they found in photo editing service Picnik involved an old version of the open source email application phpList, which is riddled with security holes, they said. Besides that, Google used the default user name and password for that application, they added.
"That was a very big mistake," Goldshlager said, adding that the vulnerability could have led to a full server compromise. The bug bounty hunters received $3,133.70 for the discovery of the leak.
All bugs reported to Google that they mentioned during Hack in the Box had been fixed before the presentation, the researchers said.
Loek covers all things tech for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to firstname.lastname@example.org
Editor's Note: We have corrected this story to accurately represent the actions Google took in light of the Picnik bug mentioned.