Exploiting Google Clickjacking Vulnerability to steal user cookies

Post Pic Not Available

Bug Type: Clickjacking Vulnerability
Browser: Android Browser
Vulnerable Module: Google Talkgadget / Hangouts
Url : https://talkgadget.google.com
Vulnerable Browser/users: Android < 4.4
Status :Fixed .

Hello world :) , I really hope you guys are doing great . Its been a long time , i could not post stuff . This post is about a clickjacking vulnerablity i found in one of the google service , that is Google Hangouts .It was reported last year . Today i got the mail of the permanent fix by them. The vulnerable url was

https://talkgadget.google.com/u/0/talkgadget/_/frame?hl=en#p (fixed)
Its always a tricky cum technical part, how you extract content from the vulnerable page/domain by exploiting a clickjacking vulnerability . So , to exploit this vulnerability i used the research of Mr. Rafay Baloch on Android Browser Same Origin Policy Bypass < 4.4 . This research confirms the SOP ( Same Origin Policy ) bypass in Android Browsers < 4.4 version . I would like to thank Mr Rafay for the permission to use his research in this exploit building .
I made the final webpage which contains the following code

All you need to do is send the above crafted webpage url to the victim , No user interaction required . Once the victim open the page on their vulnerable android browser , it will send their cookies to the remote url and redirect the user to google .
I have made a Video POC with all the explanation



I would like to thank Eduardo from Google for handling the report and yea it was really nice to meet you and all other respected seniors of google security team members ( Michele , Josh , Chris , Kotowicz ) at NullCon .

Thank you so much google for the reward

Thank you for reading guys :)
P.S : I made this exploit POC after the bug was accepted .

You can follow the comments/talks on this POC on facebook and twitter:

Share It!

Comments

comments powered by Disqus