Monday, January 7, 2008

There's an OAK TREE in my blog!?!?!

A while back I came across another interesting issue that allowed me to steal an arbitrary Google Doc (assuming I knew the DocID). This issue has already been fixed by Google, but the details are pretty interesting so I thought I would share! Now, before I get into the gory details, I'd like to mention two things about Google:

     


  1. I know some people have had issues with Google's Security Team (GST), but I've always had pleasant experiences with them. GST moves with LIGHTING speed and they are usually great about keeping in me apprised of the status of various issues I've reported to them.
  2.  


  3. In addition to fixing this particular exposure, GST has also increased the entropy of the DocID making sploits based on DocID guessing totally impractical. It's a great example of going the extra step to help protect users...

 


Now... the gory details... First, I went to Wordpress.com and created a new blog (there were other ways to pull this off, but this was the easiest way). Once the blog was created, I logged into Google Docs with my account, created a document and selected the "publish this document" option. Once in the "publish" menu, I selected the "Blog Site Settings" option. This option basically allows a Google Docs user to create a document in Google Docs and POST it directly to thier blog! I entered my blog provider, blog username, and blog password into the blog settings page. The page is shown below:

 



My Blog Settings

 



Once my blog settings were properly entered, I selected the "Publish This Document To Your Blog" option. The POST request made by my browser looked something like this:

 


POST /MiscCommands HTTP/1.1
<HTTP HEADERS>

command=cmdvalue&localDate=datevalue&docID=doc-id-here&finis=finisvalue&POST_TOKEN=posttokenvalue

 


When this feature is selected, it appears that the Google Docs server makes a request to the xmlrpc.php file on the blog server (Wordpress.com), passing the credentials I gave in the blog settings. When the blog server indicates that the blog creds were valid, the Google Docs server sends the contents of the Google Doc to the blog server. hmmmm... that docID value looks reeeallly interesting... I changed the docID in the POST request from the docID of my newly created document to the docID of the "Article For Oak Tree View" (the document used by Google to Demo Google Docs).

 



OAKTREE-DocID

 



After changing the docID and sending the POST request, I logged into my Wordpress Blog and LO AND BEHOLD... my first blog POST was the Oak Tree Newsletter!

 



Oak Tree in My Blog

 



I tried it on some friends documents with the same result and then contacted the GST....

 



Links to other Google Docs Stuff here, here, and here

5 comments:

  1. Rios, great post man!

    Total agreement on the Google Security Team, they're a class act to work with. They've treated us both great from the start. Must be a good job over there, getting paid to test all this new tech all the time!

    ReplyDelete
  2. Yeah, GST is awesome :) I've had good experiences with them.. in most cases they fix the stuff :P

    Greetz!!

    ReplyDelete
  3. [...] This reminds me a lot of the work that Billy Rios has helped Google out with, as referenced here, here, and here. In these examples arbitrary user’s documents could be stolen from the Google [...]

    ReplyDelete
  4. [...] something a deep source code review of a web application would uncover.  Think about the Google Docs flaws that Billy recently pulled off.  That’s a SERIOUS attack vector, but there’s no way a WAF could protect you from [...]

    ReplyDelete
  5. Also agree with GST. They were unbelievably quick to respond, keeping me apprised of everything they were doing and had the issue fixed within 3-4 hours. THEN mailed me a T-Shirt! Very different compared to other companies that have gone so far as to almost threaten to sue me.

    ReplyDelete