Video PoC: Attackers Post on Google+ on User’s Behalf

Aditya Gupta, a researcher from the Vulnerability Lab released a demonstration video to prove that a remotely exploitable issue could allow a cybercriminal to post a message on Google+ on the victim’s behalf.

These types of clickjacking schemes are not uncommon and they’re mostly used in spam campaigns launched on social networking sites or via email.

In the proof-of-concept (PoC) video, the expert shows that such an attack starts with a simple e-mail or a link posted on a social network, advertising a game.

The alleged game is simple. The user just has to click a couple of buttons and that’s it, but in reality, a hidden frame (with the opacity set to 0) is carefully placed in the background.

By using this technique, the attacker can make sure that each time the strategically placed buttons in the game are pressed, the unsuspecting user is actually clicking on the buttons from his Google+ account, making arbitrary posts or executing other commands.

The issue has already been reported as part of Google's bug bounty program in January and the company’s security team took care of the problem.

The video posted by Aditya clearly demonstrates the potential of such a vulnerability, but it also acts as a good lesson to users.

Simple links, accompanied by a message that promises prizes, or any interesting content can always hide a malicious plan. While the user believes that he is only clicking on some innocent buttons, in reality the cleverly designed code insures the success of the spam campaign.

This is why users are advised never to click on suspicious links received via email or social media sites. Most of the time they’re either taking part in a spam campaign, or even worse, they can be unknowingly downloading a piece of malware that gives the cybercriminals access to the device and the internaut's assets.

Check out the proof-of-concept video bellow.