Sum up of vulnerabilities found in Google Acquisitions
Reported vulnerabilities are related to the following domains: moodstocks.com, withgoogle.com, and chromeexperiments.com.Description
We have discovered several vulnerabilities in Google Acquisitions between November 2016 and January 2017.
Reported vulnerabilities are related to the following domains: moodstocks.com, withgoogle.com, and chromeexperiments.com.
The flaws are of two kinds: subdomain takeover (DNS) and XSS vulnerabilities.
Subdomain takeover vulnerability in mail.moodstocks.com
Access Vector: Remote
Security Risk: High
CVSS Base Score: 8.8
CVSS String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O
Vulnerability Description
This issue is related to the mail.moodstocks.com subdomain. The DNS CNAME for this domain is pointing to an unused subdomain that can be claimed by anyone who wants to fully take over it.
The potential impact here is high because an attacker can control all the content for that particular subdomain, with impacts on confidentiality, integrity, and availability. This can cause huge damage to the company.
To fix this issue, it is recommended to remove the unused entry from the DNS.
You can read about this sorts of attacks here : http://labs.detectify.com/post/109964122636/hostile-subdomain-takeover-using
Proof of Concept
The following command allows to get the DNS CNAME for mail.moodstocks.com:
$ dig mail.moodstocks.com
dig shows that mail.moodstocks.com is pointing to messagingengine.com (fastmail.com).
So, when accessing to https://mail.moodstocks.com/, we are redirected to https://www.fastmail.com/login/?domain=moodstocks.com. Since moodstocks.com belongs to an unused or expired account, we have been able to claim it as a proof of concept.
Timeline (dd/mm/yyyy)
- 17/01/2017 : Initial discovery
- 17/01/2017 : Contact with vendor team
- 19/01/2017 : Vendor response: I’ve filed a bug based on your report
- 24/01/2017 : Vendor release fix
Reflected XSS vulnerabilities in workshop.chromeexperiments.com
Access Vector: Remote
Security Risk: Low
Vulnerability: CWE-79
CVSS Base Score: 3.5
CVSS String: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O
Vulnerability Description
Two XSS vulnerabilities have been found on workshop.chromeexperiments.com. These XSS could lead to session hijacking.
Proof of Concept
Steps to reproduce using Firefox browser:
- First you need to set your user-agent to the following payload :
<svg onload=alert(document.domain)> - Now click one of the links below and you will get the XSS:
https://workshop.chromeexperiments.com/src/dat/release/qunit/qunit.html
Or
https://workshop.chromeexperiments.com/src/dat/release/qunit/testtest.html
Timeline (dd/mm/yyyy)
- 13/12/2016 : Initial discovery
- 13/12/2016 : Contact with vendor team
- 16/12/2016 : Vendor acknowledgement
- 16/12/2016 : Bug Patched
Reflected XSS Vulnerability related to events.withgoogle.com
Access Vector: Remote
Security Risk: Medium
Vulnerability: CWE-79
CVSS Base Score: 4.3
CVSS String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O
Vulnerability Description
Two XSS vulnerabilities have been found on workshop.chromeexperiments.com. These XSS could lead to session hijacking.
Proof of Concept
The following GET request exploit the reflected XSS vulnerability:
https://events.withgoogle.com////////////////////%3Cscript%3Ealert(document.domain)%3C/script%3E
Timeline (dd/mm/yyyy)
- 26/11/2016 : Initial discovery
- 26/11/2016 : Vendor notification
- 28/11/2016 : Vendor responses are shown in the following picture:
- 30/11/2016 : Vendor fixes vulnerability
Credits
- Issam Rabhi i.rabhi@sysdream.com