14 DAY TRIAL // Google awarded a security researcher $5,000 / €4,450 for discovering and reporting a cross-site-scripting vulnerability in the Google Apps administration console that could grant an attacker full control of the Google account.
Many businesses link their web domain to Google Services, allowing them access to a set of components designed for communication, such as Gmail, as well as collaboration (Google Apps).
Attack relied on JavaScript code
Blizzard Entertainment security engineer Brett Buerhaus found a form of XSS that could be used when logging into the administration console.
The log-in process requires credentials for at least two Google accounts, offering a form to switch between them. Upon selecting from the listed accounts JavaScript is executed to redirect the browser to the correct page.
“The URL used in this JavaScript is supplied by the user in the continue request parameter. The continue request parameter is fairly common request variable in the Google login flow. This is the only page that I could find that did not validate the URL passed into it. This allowed you to craft Cross-Site Scripting attacks by using ‘javascript:’ as part of the URL and it would execute when the browser location is redirected,” Buerhaus wrote in a blog post.
Attackers could master security settings for all users
The consequences of this action would lead to the possibility to create new users with any permission level, including super admin, changing the security settings for users or domains, altering domain settings so that incoming emails are directed to a different domain.
Additionally, an attacker would be able to take control over different email accounts by resetting the log-in password. Disabling the two-factor authentication feature would also be possible, weakening the security challenges for the targeted account.
The engineer demonstrated the results of his work with a proof-of-concept and was able to retrieve a list with users, change the password and remove security settings for one of them.
Google was informed of the flaw on September 1, 2014, and issued a fix on September 18. The researcher received the monetary compensation through the Vulnerability Reward Program before the problem was solved, on September 10.
