Through a bug in a Google Docs, hackers can have access to your private data

Almost all people have their confidential documents on their email. So, privacy is a must so that nobody can see or have access to your files. But recently, Google has addressed a flaw, that was in the feedback tool. Through which, private files could be exploited by the hackers by embedding them in a fake or malevolent website. In simple words, hackers can take a screenshot of your documents and can use these files for their benefits, or these hackers can take a ransom from you through blackmailing.

Sreeram KL a security researcher, pointed out such a flaw. He saved millions of confidential documents from the hands of hackers. Therefore, he was given almost $3200 as a reward for his tremendous job as a part of a vulnerability reward program.

Many people had to send feedback along with the option to take screenshot of a Google product. Google docs also have an option to send feedback or Help Docs improve. If a person sends such feedback along with the screenshot, attackers can have access to such screenshots.

This is not it. Google’s main website www.google.com has the same option of sending feedback. People’s feedback automatically uploaded to feedback.googleusercontent.com

How Sreeram pointed out such a flaw. He passed messages to feedback.googleusercontent.com, then he allowed the hackers to get these screenshots, which were to be uploaded on Google’s servers. The hacker easily got access to such screenshots, through this, Sreeram identified such a bug. Further, he identified the origin of the iframe is different from the google doc, and such a screenshot is rendered through a posted message. When a person includes the screenshot of a google doc in feedback. The is condensed by conveying RGB values of each pixel to google.com. such RGB values are then readdressed in a feedback domain.

If this bug was still unidentified, this could harm Google docs security. Many people can lose their private files and docs. Sreeram explained that hackers can alter the frame to a random malicious website, through which he can snip such an image or screenshot. He further explained that this bug was caused because the X-frame-option was not there in a google docs domain. Which made it possible to alter the origin of the message.

If you cannot provide the target origin of a cross-origin communication, it will reveal the sensitive data to external websites. This issue has now being addressed after being identified by the expert.

Previous Post Next Post