14 DAY TRIAL // By changing the default search page to appear reversed on April Fools’ Day, Google created a clickjacking opportunity that could have been exploited by cybercriminals to influence the query results received by visitors of malicious websites.
The security problem emerged when Google switched to “com.google” generic top-level domain on April 1 with an iframe that allowed content to be displayed backwards.
The parameter that instructed the server to deliver the modified version of the page, however, also caused an important HTTP header (X-Frame-Options) to be omitted, allowing the search page to be included in an iframe on third-party websites.
As a result, attackers could have added an iframe with search settings page on their websites masquerading as a safe element, in order to trick visitors into triggering modifications in the Google Search options, thus carrying out a clickjacking attack.
X-Frame-Options header removed
Researchers at Netcraft discovered the vulnerability by inspecting the responses received from Google’s Search Settings page and noticing that the X-Frame-Options header was missing on the page displaying the content backwards, a parameter that is available in the normal page.
In a blog post on Friday, Paul Mutton from Netcraft says that “for the purpose of the April Fool's joke, Google stepped around this problem by passing the parameter ‘igu=2’ to google.com, which not only told it to display the content backwards, but also instructed the server to omit the X-Frame-Options header entirely.”
Search settings are persistent
He added that a well-crafted clickjacking attack could not have been spotted by the victims until it would have been too late and the modifications were saved. Furthermore, the changed configuration options would persist when visiting the regular search page.
One of the risks associated with successful exploitation of this oversight was turning off SafeSearch filters that exclude results referring to explicit content.
Netcraft alerted Google of the issue, which has been addressed by the search giant.
