Thursday, 3 January 2013

Google.com cross site scripting and privilege escalation in Consumer Surveys


Hello,

I have recently found a persistent cross site scripting and privilege escalation in Google Consumer Surveys. Here are proofs of concept for both vulnerabilities:
Cross site scripting (XSS)

You can create a new Google Consumer Survey here. I have entered  "</script><script>alert(document.cookie)</script> as name of my survey and clicked Continue. The JavaScript was executed. Now the problem was, how do I exploit this on other users?
When creating a survey, there are four steps. Step 1,3 and 4 links could be used to exploit it on other users, while Step 2 (still) gives a 500 Internal server error if viewing other people's surveys (I do not know why, maybe you can find something there :)). Here are the 3 links (the survey is deleted).

  • http://www.google.com/insights/consumersurveys/create?survey=c2mexgsedz4dc
  • http://www.google.com/insights/consumersurveys/create/questions/edit?survey=c2mexgsedz4dc
  • http://www.google.com/insights/consumersurveys/create/confirm?survey=c2mexgsedz4dc
Visiting any of those three links would execute the JavaScript in your browser.
Screenshot:




Privilege escalation
In the same service, you could delete anyone's Consumer Survey with a single POST request. Keep in mind that this is a paid Google service.

A POST request to this URL with following parameters:

http://www.google.com/insights/consumersurveys/delete_survey

POST parameters:
survey=c2mexgsedz4dc
&xsrf-token=[Your-XSRF-token]&action=delete

You could change survey parameter to any valid survey, and it would get deleted. 
When trying to visit a deleted survey, 500 Internal Server Error would pop out, and you wouldn't be able to view it. 

Google has rewarded me with $1337 for each bug (high severity rewards), along with second entry to Hall of Fame. Thank you Google Security team for quick response and fix!

No comments:

Post a Comment

Note: only a member of this blog may post a comment.