Google OAuth Target URL and Domain Description Vulnerable to UI redress attack

Over last 3 years, I’ve participated in the Google Reward Program and found some relatively serious vulnerability. Google OAuth Target URL, Upload X.509 Cert and Domain Description Vulnerable to UI Redress Attack is my one of the oldest finding in Google Reward program. UI Redress Attack is basically a well known attack in the Info Sec community. Also, for those who are new to UI Redress Attack, find information here.

According to Wiki, OAuth is an open standard for the purpose of authorization, it provides client applications a secure access on behalf of a resource owner.

The following URL was vulnerable to UI Redress Attack :

https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com

As a result of using this vulnerability, the attacker is able to update victim’s OAuth Information including Target URL, Upload X.509 Cert and Domain Description.

The following Header information was passing to Google server and you can identify XFO Header information is missing.

Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

 

Following is sample POC:

<iframe src = “https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com” width=”600″ height=”600″>

Google UI Redress Attack
Google UI Redress Attack

In next blog post I’ll be posting another Relatively Critical Google Vulnerability.

Follow to our blog via Twitter or email and stay updated.