Thursday, 3 January 2013

Google.com cross site scripting and privilege escalation in Consumer Surveys


Hello,

I have recently found a persistent cross site scripting and privilege escalation in Google Consumer Surveys. Here are proofs of concept for both vulnerabilities:
Cross site scripting (XSS)

You can create a new Google Consumer Survey here. I have entered  "</script><script>alert(document.cookie)</script> as name of my survey and clicked Continue. The JavaScript was executed. Now the problem was, how do I exploit this on other users?
When creating a survey, there are four steps. Step 1,3 and 4 links could be used to exploit it on other users, while Step 2 (still) gives a 500 Internal server error if viewing other people's surveys (I do not know why, maybe you can find something there :)). Here are the 3 links (the survey is deleted).

  • http://www.google.com/insights/consumersurveys/create?survey=c2mexgsedz4dc
  • http://www.google.com/insights/consumersurveys/create/questions/edit?survey=c2mexgsedz4dc
  • http://www.google.com/insights/consumersurveys/create/confirm?survey=c2mexgsedz4dc
Visiting any of those three links would execute the JavaScript in your browser.
Screenshot:




Privilege escalation
In the same service, you could delete anyone's Consumer Survey with a single POST request. Keep in mind that this is a paid Google service.

A POST request to this URL with following parameters:

 http://www.google.com/insights/consumersurveys/delete_survey

 POST parameters:
survey=c2mexgsedz4dc
&xsrf-token=[Your-XSRF-token]&action=delete

 You could change survey parameter to any valid survey, and it would get deleted. 
When trying to visit a deleted survey, 500 Internal Server Error would pop out, and you wouldn't be able to view it. 

Thank you Google Security team for quick response and fix!

Posted by at No comments:
Subscribe to: Posts (Atom)