CSRF & Clickjacking : Google Document, Drawing, Forms, Spreadsheet

Attacker can create Google Document, Drawing, Forms, Spreadsheet, Presentation in the Victim’s Google Drive and get a Can get Permission to that Document. In Simple terms the created document will be shared with the attacker.

Vulnerable Domain:

https://docs.google.com

Google Services Vulnerable this attack:

https://docs.google.com/drawings
https://docs.google.com/forms
https://docs.google.com/spreadsheet
https://docs.google.com/presentation
https://docs.google.com/document

Tested Browser Versions

Attacker Browser: Internet Explorer 9
Victim Browser : Google Chrome Version 25.0.1364.152 m Updated

Steps:

– Attacker will send a mail to the victim that contains the Malicious URL.
– Victim will Click and Interact with it.
– Attacker will be successful in creating a document in Victim’s Google Drive with the Edit Permissions

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s