Google OAuth Target URL and Domain Description Vulnerable to UI redress attack

Over last 3 years, I’ve participated in the Google Reward Program and found some relatively serious vulnerability. Google OAuth Target URL, Upload X.509 Cert and Domain Description Vulnerable to UI Redress Attack is my one of the oldest finding in Google Reward program. UI Redress Attack is basically a well known attack in the Info Sec community. Also, for those who are new to UI Redress Attack, find information here.

According to Wiki, OAuth is an open standard for the purpose of authorization, it provides client applications a secure access on behalf of a resource owner.

The following URL was vulnerable to UI Redress Attack :

As a result of using this vulnerability, the attacker is able to update victim’s OAuth Information including Target URL, Upload X.509 Cert and Domain Description.

The following Header information was passing to Google server and you can identify XFO Header information is missing.

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive


Following is sample POC:

<iframe src = “” width=”600″ height=”600″>

Google UI Redress Attack
Google UI Redress Attack

In next blog post I’ll be posting another Relatively Critical Google Vulnerability.

Follow to our blog via Twitter or email and stay updated.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.