Description

We have discovered several vulnerabilities in Google Acquisitions between November 2016 and January 2017.

Reported vulnerabilities are related to the following domains: moodstocks.com, withgoogle.com, and chromeexperiments.com.

The flaws are of two kinds: subdomain takeover (DNS) and XSS vulnerabilities.

Subdomain takeover vulnerability in mail.moodstocks.com

Access Vector: Remote

Security Risk: High

CVSS Base Score: 8.8

CVSS String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O

Vulnerability Description

This issue is related to the mail.moodstocks.com subdomain. The DNS CNAME for this domain is pointing to an unused subdomain that can be claimed by anyone who wants to fully take over it.

The potential impact here is high because an attacker can control all the content for that particular subdomain, with impacts on confidentiality, integrity, and availability. This can cause huge damage to the company.

To fix this issue, it is recommended to remove the unused entry from the DNS.

You can read about this sorts of attacks here : http://labs.detectify.com/post/109964122636/hostile-subdomain-takeover-using

Proof of Concept

The following command allows to get the DNS CNAME for mail.moodstocks.com:

$ dig mail.moodstocks.com

dig shows that mail.moodstocks.com is pointing to messagingengine.com (fastmail.com).

So, when accessing to https://mail.moodstocks.com/, we are redirected to https://www.fastmail.com/login/?domain=moodstocks.com. Since moodstocks.com belongs to an unused or expired account, we have been able to claim it as a proof of concept.

Timeline (dd/mm/yyyy)

  • 17/01/2017 : Initial discovery
  • 17/01/2017 : Contact with vendor team
  • 19/01/2017 : Vendor response: I've filed a bug based on your report
  • 24/01/2017 : Vendor release fix

Reflected XSS vulnerabilities in workshop.chromeexperiments.com

Access Vector: Remote

Security Risk: Low

Vulnerability: CWE-79

CVSS Base Score: 3.5

CVSS String: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O

Vulnerability Description

Two XSS vulnerabilities have been found on workshop.chromeexperiments.com. These XSS could lead to session hijacking.

Proof of Concept

Steps to reproduce using Firefox browser:

  1. First you need to set your user-agent to the following payload : <svg onload=alert(document.domain)>
  2. Now click one of the links below and you will get the XSS:
https://workshop.chromeexperiments.com/src/dat/release/qunit/qunit.html

Or

https://workshop.chromeexperiments.com/src/dat/release/qunit/testtest.html

Timeline (dd/mm/yyyy)

  • 13/12/2016 : Initial discovery
  • 13/12/2016 : Contact with vendor team
  • 16/12/2016 : Vendor acknowledgement
  • 16/12/2016 : Bug Patched

Reflected XSS Vulnerability related to events.withgoogle.com

Access Vector: Remote

Security Risk: Medium

Vulnerability: CWE-79

CVSS Base Score: 4.3

CVSS String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O

Vulnerability Description

Two XSS vulnerabilities have been found on workshop.chromeexperiments.com. These XSS could lead to session hijacking.

Proof of Concept

The following GET request exploit the reflected XSS vulnerability:

https://events.withgoogle.com////////////////////%3Cscript%3Ealert(document.domain)%3C/script%3E

Reflected XSS

Timeline (dd/mm/yyyy)

  • 26/11/2016 : Initial discovery
  • 26/11/2016 : Vendor notification
  • 28/11/2016 : Vendor responses are shown in the following picture:

Bad news.

  • 30/11/2016 : Vendor fixes vulnerability

Credits