Google Docs Bug Allowed Viewing of Private Documents

In the summer of 2020, researcher Shriram K.L. earned $3,133.70 through a bug bounty program after discovering a vulnerability in Google Docs. The issue was related to Google’s feedback tool, which could be exploited to steal confidential information.

Many Google products, including Google Docs, feature Send feedback and Help Docs improve options. These allow users to submit feedback and attach screenshots to demonstrate specific problems. Rather than duplicating these features across services, Google runs feedback through its main site (google.com) and integrates it into other products via an iframe that loads content from feedback.googleusercontent.com.

The researcher explained that when a screenshot of a Google Docs window is attached, rendering the image requires sending the RGB values of each pixel to google.com. These values are then forwarded to the feedback domain, which creates the image and returns it as Base64. The vulnerability was found in the way messages were sent to feedback.googleusercontent.com. The bug allowed an attacker to modify the iframe, redirect its content to any external site, and steal or intercept screenshots intended for Google’s servers. The problem was due to the lack of an X-Frame-Options header on the Google Docs domain. A demonstration of the attack is shown below.

To carry out the attack, some user interaction was required (such as clicking the “Send feedback” button). The exploit could then use the vulnerability to intercept the URL of the uploaded screenshot and send it to a malicious site. The expert noted that the attack could be executed by embedding a Google Docs file in an iframe on a malicious website, then intercepting the feedback popup and redirecting its contents to a domain chosen by the attacker.

Source

• Our other channels
• Our friends and partners